A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
<b>sun</b> discards such certificates and aborts the connection setup.
moon::cat /var/log/daemon.log::sending end entity cert::YES
moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
multiple_authentication = no
+}
+libstrongswan {
x509 {
enforce_critical = no
}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
multiple_authentication = no
}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes128gcm128-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::rm /etc/swanctl/x509/moonCert.der
+sun::rm /etc/swanctl/x509/sunCert.der
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::rm /etc/swanctl/x509/moonCert.pem
+sun::rm /etc/swanctl/x509/sunCert.pem
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS=""
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1