--- /dev/null
+At the outset the gateway authenticates itself to the client by sending an
+IKEv2 <b>RSA signature</b> accompanied by a certificate.
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. In this scenario,
+quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead
+of a physical USIM card on the client <b>carol</b>. The USIM provider on
+gateway <b>moon</b> also stores the quintuplets in an SQL database.
--- /dev/null
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
--- /dev/null
+INSERT INTO quintuplets
+ (id, used, rand, autn, ck, ik, res) VALUES
+ ('carol@strongswan.org', 0,
+ X'00112233445566778899AABBCCDDEEFF',
+ X'112233445566778899AABBCCDDEEFF00',
+ X'2233445566778899AABBCCDDEEFF0011',
+ X'33445566778899AABBCCDDEEFF001122',
+ X'00112233445566778899'
+ );
--- /dev/null
+DROP TABLE IF EXISTS quintuplets;
+CREATE TABLE quintuplets (
+ id TEXT NOT NULL,
+ used INTEGER NOT NULL,
+ rand BLOB NOT NULL,
+ autn BLOB NOT NULL,
+ ck BLOB NOT NULL,
+ ik BLOB NOT NULL,
+ res BLOB NOT NULL
+);
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ plugins {
+ eap-simaka-sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+INSERT INTO quintuplets
+ (id, used, rand, autn, ck, ik, res) VALUES
+ ('carol@strongswan.org', 0,
+ X'00112233445566778899AABBCCDDEEFF',
+ X'112233445566778899AABBCCDDEEFF00',
+ X'2233445566778899AABBCCDDEEFF0011',
+ X'33445566778899AABBCCDDEEFF001122',
+ X'00112233445566778899'
+ );
--- /dev/null
+DROP TABLE IF EXISTS quintuplets;
+CREATE TABLE quintuplets (
+ id TEXT NOT NULL,
+ used INTEGER NOT NULL,
+ rand BLOB NOT NULL,
+ autn BLOB NOT NULL,
+ ck BLOB NOT NULL,
+ ik BLOB NOT NULL,
+ res BLOB NOT NULL
+);
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ plugins {
+ eap-simaka-sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+}
--- /dev/null
+connections {
+
+ rw-eap {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-aka
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
+moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
+carol::cd /etc/swanctl; rm rsa/* x509/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
