+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b> that are valid until
-the year 2039 and are issued by a certification authority with a root ca
-certificate valid until the year 2059. On 32-bit platforms, dates after
-Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
-Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
-dates contained in the certificates are set to the maximum value,
-i.e. to Jan 19 03:14:07 UTC 2038.
-
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
-behind the gateway <b>moon</b>.
+++ /dev/null
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
-yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
-dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
-BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
-FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
-kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
-mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
-cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
-2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
-uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
-t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
-fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
-xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
-S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
-NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
-dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
-CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
-oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
-OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
-cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
-mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
-kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
-idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
-n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
-G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
-FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
-q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
-zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
-8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
-+quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
-V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
-OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
-jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
-SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
-lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
-8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
-bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU
-/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH
-BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1
-robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f
-uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg
-6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5
-91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB
-FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc
-UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke
-v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT
-zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA
-AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT
-XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI
-0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz
-jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU
-8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH
-UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3
-SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf
-ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf
-D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp
-yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn
-lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB
-7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb
-Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc
-o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns
-K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O
-/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp
-AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5
-pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/
-0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP
-fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB
-G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5
-E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui
-aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg
-0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe
-VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc
-Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX
-NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8
-uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c
-BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q
-HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G
-LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK
-R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We
-ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X
-j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/
-5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ
-mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO
-nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU
-tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G
------END RSA PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
-vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
-scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
-BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
-0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
-L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
-2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
-FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
-sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
-vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
-dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
-/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
-Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
-ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
-NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
-ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
-WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
-lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
-HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
-pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
-Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
-zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
-xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
-WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
-O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
-W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
-YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
-yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
-ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
-IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
-0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
-ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
-ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
-4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
-HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
-WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
-I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv
-OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC
-bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq
-qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU
-EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA
-YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5
-cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0
-vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K
-AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04
-Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo
-PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA
-AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v
-hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+
-hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI
-yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D
-yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz
-PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+
-x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k
-rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO
-vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ
-HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF
-/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD
-8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1
-wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk
-EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2
-wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO
-7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno
-CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk
-n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv
-D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d
-GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq
-+1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7
-Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG
-DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk
-i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS
-IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L
-SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx
-P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC
-doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG
-inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa
-MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G
-zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r
-Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu
-jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G
-ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi
-50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5
-kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD
-xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y
-fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM=
------END RSA PRIVATE KEY-----
--- /dev/null
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
--- /dev/null
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth hmac(md5)::YES
+carol::ip xfrm state::auth hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ ike=3des-md5-modp1024!
+ esp=3des-md5-modp1024!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=3des-md5-modp1024!
+ esp=3des-md5-modp1024!
conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
- leftfirewall=yes
right=%any
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
carol::ipsec start
-carol::sleep 1
+carol::sleep 1
carol::ipsec up home
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-carol::ip xfrm state::enc cbc(blowfish)::YES
-moon::ip xfrm state::enc cbc(blowfish)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=blowfish256-sha2_512-modp4096!
- esp=blowfish256-sha2_512!
+ ike=blowfish256-sha512-modp2048!
+ esp=blowfish192-sha384!
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
+ leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=blowfish128-sha256-modp1536!
+ esp=blowfish128-sha256!
conn home
left=PH_IP_DAVE
- leftsourceip=%modeconfig
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=blowfish256-sha2_512-modp4096!
- esp=blowfish256-sha2_512!
+ ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+ esp=blowfish192-sha384,blowfish128-sha256!
conn rw
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
+ leftfirewall=yes
right=%any
- rightid=carol@strongswan.org
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
dh_exponent_ansi_x9_42 = no
+ load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
}
moon::ipsec stop
carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+carol::ipsec start
+dave::ipsec start
carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol"
-
+IPSECHOSTS="moon carol dave"
-moon::cat /var/log/auth.log::MODP_2048_224.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024_160::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048_256::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
+++ /dev/null
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_96</b> with 96 bit instead of the standard 128 bit
-truncation, allowing compatibility with Linux kernels older than 2.6.33
-by defining <b>esp=aes128-sha256_96!</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256_96!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256_96!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and
-<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ip xfrm state::auth hmac(sha256)::YES
carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
-
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes128-sha256-modp2048!
- esp=aes128-sha256!
+ esp=aes128-sha256-modp2048!
conn home
left=PH_IP_CAROL
+ leftfirewall=yes
leftcert=carolCert.pem
leftid=carol@strongswan.org
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- auto=add
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes128-sha256-modp2048!
- esp=aes128-sha256!
+ esp=aes128-sha256-modp2048!
conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
right=%any
- rightid=carol@strongswan.org
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
moon::ipsec stop
carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1
carol::ipsec up home
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
-
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and
-<b>AES_CBC_192 / HMAC_SHA2_384</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth hmac(sha384)::YES
carol::ip xfrm state::auth hmac(sha384)::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
-
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes192-sha384-modp3072!
- esp=aes192-sha384!
+ esp=aes192-sha384-modp3072!
conn home
left=PH_IP_CAROL
+ leftfirewall=yes
leftcert=carolCert.pem
leftid=carol@strongswan.org
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- auto=add
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes192-sha384-modp3072!
- esp=aes192-sha384!
+ esp=aes192-sha384-modp3072!
conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
right=%any
- rightid=carol@strongswan.org
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
moon::ipsec stop
carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1
carol::ipsec up home
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
-
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and
-<b>AES_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth hmac(sha512)::YES
carol::ip xfrm state::auth hmac(sha512)::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
-
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha512-modp4096!
- esp=aes256-sha512!
+ esp=aes256-sha512-modp4096!
conn home
left=PH_IP_CAROL
+ leftfirewall=yes
leftcert=carolCert.pem
leftid=carol@strongswan.org
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- auto=add
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha512-modp4096!
- esp=aes256-sha512!
+ esp=aes256-sha512-modp4096!
conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
right=%any
- rightid=carol@strongswan.org
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
moon::ipsec stop
carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1
carol::ipsec up home
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
-
+++ /dev/null
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
-is granted to members of the group 'Research' whereas <b>venus</b> can only
-be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
\ No newline at end of file
+++ /dev/null
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Research.* is a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Research.* is not a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Accounting.* is a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Accounting.* is not a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
-
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn alice
- leftsubnet=PH_IP_ALICE/32
- right=%any
- rightgroups=Research
- auto=add
-
-conn venus
- leftsubnet=PH_IP_VENUS/32
- right=%any
- rightgroups="Accounting, Sales"
- auto=add
-
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
-cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS
-dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx
-p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn
-d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K
-SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm
-s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC
-AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO
-LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
-Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
-QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
-b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K
-atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3
-u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/
-aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL
-wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov
-G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5
-8mcNXcKmqcyP2Tlnvbo=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArDQ1aDwWmStagi03N7ESJpJ0RIX5uXDb7bLnW9WZsOT1518l
-yOTME0gS9j/QZc4OZy2GMTGJM2CY24J1DBqkIfGnf0doP3TavOa9+UjjR1lOaUVy
-fQ+njXA1u+NVo6mft/oyi/rxiaygtCvjv45Tqyd3dzyvH4Fc7iDpjJEHTGnAHaR8
-7fgVmHsXA57ixUAm7kTu6srSGKPZbX5p1k0WDspI/aLuWV+ijFalL7pWLpmO4n91
-wbK9eleevQfbHnyxl5oHmfwDL6aE8NfvbFd/ASazt/O2SGqaaLHZNUQf3p1H32i4
-IQ0XUKbw4JtHWSSFZF4vo/S0JuKtvAVtnEq05QIDAQABAoIBAQCbfhUPhtp8+imi
-zANFFW2nSK0VxsgEi4T7MIU6Zjh+A3CLuF2c9gPUEUuV8W9SzeoxfmjieLFDpCDC
-bR0VjeTRBazR//+A9RoiYlP+CbO4FEr6QYwsovsPetf6TT9iJeMjtBb6UODTCP6f
-UdY3fOPN8zgrga87yorINw3MMJSfiI21zSzCkueOQloktBgih5Wueu8FDFUB2fVa
-uLTUa+wOhXUBPyF5OXLox5TxE6gBPkiUsnNXP8X/kHLPk2iBQmdxz+uwG/Pz6pS2
-JsmX2WzFJ0+Rj4cJpoa4Ev5uAx79kcXnQT3d5/HIwuh7ZEMKorb1m8w8lhAW4ARU
-ddjhLkWhAoGBAOCpDGfLwQHWVejOcjEwfWts0hHLdlNfZEgsLSex2k/U6Mk1TjCo
-tAHQOvmqxZDxypJEem3RPaWZh+gttTpHvGkS9fsvTpyARcDp0FXI40hwARPsnMbI
-0fDmpVfOOLZdQKMDg42TrZC/mipU68gFP/rYC7xalJs0pe0LL3ffsSC5AoGBAMQ5
-3V6nuucpL87I0fKg56z0/3lcRxI46KuIXhHSAjxNb76cQuxiK8s5TPCot3Unq6GQ
-R7Y+dYd1FVEh2i3Q7/Yh/BSeYiDcDf5aELCwY32O/OnSSoNTbgGR5FT+/SHJK5bg
-j/O5S7+dajqtC2JZJl8smOeB5c187bc4FU72+6eNAoGAZUiRSTI434Ur0ftQzBBa
-WtYClvctb0TwRwFzkhPCon8QO7YGfDVygebIz8pHq6L2ep7Yuy28Jy5icTA6Jf41
-WQGtWALp4/CIggJnZGVe4kdslPj1bUEYNQ0mucFFHCJKg7OP2YIcm8dlz3PdoJ2N
-TJ+eGtqTaK2BqK6ERfzZNDECgYBbVTOcYyWzgpAmB4LxE8PB1Sc0LadG7AYgERD3
-6m/v8XsZlVHxBKCtrrYJLf52IUjZonY+dUPvEKgjY0ZSHPYT8i2Ky02RTduVkAZE
-t1UXk/5UNvVHuwVw5Z8JkMXxe9k2GL/oCU8gmPxg4zpxRF1/3xosZ2G3C3b52LjS
-UFNB4QKBgDX2UmLgRHAXDsmksNZaMUSNk+xws0B1M/EDd9h7e79ilENkOPDLo5+E
-z22WPNrgzKEUz44FZZOsislfPE7ffgQcRTxtNWqoElwxuHLuy46jaReL7zJSDtpv
-wtn4YoOpH0DnC994nziTQif33FBF/2o8hWoq4vcXKNSMGTwGzi/a
------END RSA PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
-6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
-Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
-Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
-I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
-x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
-tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
-GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
-ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
-F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
-L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
-ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
-Rf5Z0GOR
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
-bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
-ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
-k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
-IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
-gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
-Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
-ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
-8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
-jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
-DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
-8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
-StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
-qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
-1PdgEy1K
------END CERTIFICATE-----
+++ /dev/null
---cert /etc/ipsec.d/aacerts/aaCert.pem
---key /etc/openac/aaKey.pem
---quiet
---hours 8
+++ /dev/null
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-openac {
- load = sha1 sha2 md5 pem pkcs1 x509 gmp random x509
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/openac/*
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
-moon::rm /etc/ipsec.d/acerts/*
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::cat /etc/openac/default.conf
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem 2> /dev/null
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
+++ /dev/null
-This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and
-gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks
-the established tunnel with compression.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::policy.*COMPRESS::YES
-carol::ipsec statusall::policy.*COMPRESS::YES
-moon::ipsec statusall::comp.::YES
-carol::ipsec statusall::comp.::YES
-carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
-moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- compress=yes
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- compress=yes
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- rekey=no
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
+ dns1 = PH_IP_WINNETOU
+ dns2 = PH_IP_VENUS
+}
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
-an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
-their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
-the certificate received from their peer.
+++ /dev/null
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::NO
-carol::cat /var/log/auth.log::X.509 certificate rejected::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::NO
-carol::cat /var/log/auth.log::written crl file::NO
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- cachecrls=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
-
-conn home
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- cachecrls=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+++ /dev/null
-moon::wget -q http://crl.strongswan.org/strongswan.crl
-moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-carol::wget -q http://crl.strongswan.org/strongswan.crl
-carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
-available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
-because the web server is currently not reachable. Thus the second Main Mode negotiation
-fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
-is triggered. When the third Main Mode trial comes around, the fetched CRL has become
-available and the IKE negotiation completes. The new CRL is again cached locally as a
-file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
+++ /dev/null
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::crl is stale::YES
-carol::cat /var/log/auth.log::crl is stale::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::YES
-carol::cat /var/log/auth.log::written crl file::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow ldap crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- cachecrls=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=2
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow ldap crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- cachecrls=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=2
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+++ /dev/null
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 3
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around the fetched CRL will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail.
+++ /dev/null
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolRevokedCert.pem
- leftid=carol@strongswan.org
-
-conn home
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around, the fetched CRL will be available
-and the IKE negotiation completes.
+++ /dev/null
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
-via http from the web server <b>winnetou</b> is saved locally in the
-directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
-and the gateway <b>moon</b> when the IPsec connection is set up. The
-<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
-is used as a unique filename for the cached CRL.
+++ /dev/null
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
-and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b>
+++ /dev/null
-carol::cat /var/log/auth.log::scepclient::YES
-moon::cat /var/log/auth.log::scepclient::YES
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=0
- strictcrlpolicy=no
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftcert=selfCert.der
- leftsendcert=never
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=peerCert.der
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A INPUT -p tcp --sport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=0
- strictcrlpolicy=no
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn carol
- left=PH_IP_MOON
- leftcert=selfCert.der
- leftsendcert=never
- leftfirewall=yes
- leftsubnet=10.1.0.0/16
- right=%any
- rightcert=peerCert.der
- auto=add
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.secrets
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-moon::sleep 5
-moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload
-carol::ipsec reload
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
leftid=bob@strongswan.org
leftfirewall=yes
right=%any
- rightsubnetwithin=10.1.0.0/16
+ rightsubnet=10.1.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
bob::ipsec start
alice::sleep 2
alice::ipsec up nat-t
-
+alice::sleep 1
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn nat-t
+ left=%defaultroute
+ leftcert=bobCert.pem
+ leftid=bob@strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsubnet=10.1.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
bob::ipsec start
alice::sleep 2
alice::ipsec up nat-t
-
+alice::sleep 1
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after the configured timeout of 30 s.
+<b>moon</b> clears the connection after 4 unsuccessful retransmits.
-carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 50::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Clearing connection::YES
+moon:: sleep 60::no output expected::NO
+moon:: cat /var/log/daemon.log::sending DPD request::YES
+moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- cachecrls=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
+
+conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
-
-conn home
+ leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev1
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyexchange=ikev1
dpdaction=clear
dpddelay=10
- dpdtimeout=30
+ dpdtimeout=45
conn rw
left=PH_IP_MOON
right=%any
rightid=carol@strongswan.org
auto=add
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
-The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
-the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
-the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic).
-<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to
-reconnect. After a few seconds the firewall is opened again and the connection is
-reestablished.
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
+clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but immediately tries to reconnect which succeeds
+as soon as the connection becomes available again.
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
-carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 35::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 60::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Restarting connection::YES
-moon::sleep 10::no output expected::NO
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::sleep 10::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ dpdaction=restart
+ dpddelay=10
+ dpdtimeout=45
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
+conn home
+ left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
- right=%moon.strongswan.org
- rightsubnet=10.1.0.0/16
+ right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- dpdaction=restart
- dpddelay=5
- dpdtimeout=25
-
-conn carol
- left=%defaultroute
- leftnexthop=%direct
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
+ dpdaction=clear
+ dpddelay=10
+ dpdtimeout=45
+conn rw
+ left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%carol.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL1/32
- auto=start
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
-carol::ipsec stop
moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::ipsec stop
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
moon::ipsec start
-moon::sleep 4
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou dave"
+UMLHOSTS="moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="m-c-w.png"
# UML instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS=""
# UML instances on which IPsec is started
# Used for IPsec logging purposes
+++ /dev/null
-The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
-the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
-suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
-old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
+++ /dev/null
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=moon.strongswan.org
- rightallowany=yes
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=moon.strongswan.org
- rightallowany=yes
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
-6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
-Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
-Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
-I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
-x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
-tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
-GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
-ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
-F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
-L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
-ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
-Rf5Z0GOR
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
-
-mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
-i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
-jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
-m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
-pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
-J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
-dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
-h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
-/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
-EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
-pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
-sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
-kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
-gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
-OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
-D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
-bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
-BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
-7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
-UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
-H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
-y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
-zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
-AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
-nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=%defaultroute
- leftnexthop=%direct
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn carol
- right=carol.strongswan.org
- rightallowany=yes
- rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL1/32
- auto=add
+++ /dev/null
-dave::ipsec stop
-carol::ipsec stop
-dave::sleep 1
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/private/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up moon
-carol::sleep 1
-carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-dave::ipsec up moon
-dave::sleep 2
+++ /dev/null
-The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
-the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
-the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
-<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
-to and from <b>carol</b> and starting the connection from host <b>dave</b> using
-<b>carol</b>'s identity).
+++ /dev/null
-carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=moon.strongswan.org
- rightallowany=yes
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=moon.strongswan.org
- rightallowany=yes
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx
-6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ
-Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V
-Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G
-I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov
-x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5
-tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul
-GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7
-ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr
-F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ
-L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK
-ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k
-Rf5Z0GOR
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
-
-mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
-i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
-jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
-m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
-pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
-J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
-dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
-h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
-/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
-EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
-pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
-sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
-kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
-gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
-OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
-D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
-bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
-BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
-7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
-UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
-H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
-y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
-zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
-AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
-nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=%defaultroute
- leftnexthop=%direct
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn carol
- right=carol.strongswan.org
- rightallowany=yes
- rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL1/32
- auto=add
+++ /dev/null
-dave::ipsec stop
-carol::ipsec stop
-dave::sleep 1
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/private/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-moon::sleep 2
-moon::ipsec up carol
-moon::sleep 1
-carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-dave::ipsec up moon
-dave::sleep 2
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
-so that the remote end is defined symbolically by <b>right=%<hostname></b>.
-The ipsec starter resolves the fully-qualified hostname into the current IP address
-via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
-expected to change over time, the prefix '%' is used as an implicit alternative to the
-explicit <b>rightallowany=yes</b> option which will allow an IKE
-main mode rekeying to arrive from an arbitrary IP address under the condition that
-the peer identity remains unchanged. When this happens the old tunnel is replaced
-by an IPsec connection to the new origin.
-<p>
-In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
-<b>moon</b> which has a named connection definition for each peer. Although
-the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
-the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
-
+++ /dev/null
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=%moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn moon
- left=%defaultroute
- leftnexthop=%direct
- leftsourceip=PH_IP_DAVE1
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=%moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/hosts: This file describes a number of hostname-to-address
-# mappings for the TCP/IP subsystem. It is mostly
-# used at boot time, when no name servers are running.
-# On small systems, this file can be used instead of a
-# "named" name server. Just add the names, addresses
-# and any aliases to this file...
-#
-
-127.0.0.1 localhost
-
-192.168.0.254 uml0.strongswan.org uml0
-10.1.0.254 uml1.strongswan.org uml1
-10.2.0.254 uml1.strongswan.org uml2
-
-10.1.0.10 alice.strongswan.org alice
-10.1.0.20 venus.strongswan.org venus
-10.1.0.1 moon1.strongswan.org moon1
-192.168.0.1 moon.strongswan.org moon
-192.168.0.110 carol.strongswan.org carol
-10.3.0.1 carol1.strongswan.org carol1
-192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
-192.168.0.220 dave.strongswan.org dave
-10.3.0.2 dave1.strongswan.org dave1
-192.168.0.2 sun.strongswan.org sun
-10.2.0.1 sun1.strongswan.org sun1
-10.2.0.10 bob.strongswan.org bob
-
-# IPv6 versions of localhost and co
-::1 ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts
-
-# IPv6 solicited-node multicast addresses
-ff02::1:ff00:1 ip6-mcast-1
-ff02::1:ff00:2 ip6-mcast-2
-ff02::1:ff00:10 ip6-mcast-10
-ff02::1:ff00:15 ip6-mcast-15
-ff02::1:ff00:20 ip6-mcast-20
-
-# IPv6 site-local addresses
-fec1::10 ip6-alice.strongswan.org ip6-alice
-fec1::20 ip6-venus.strongswan.org ip6-venus
-fec1::1 ip6-moon1.strongswan.org ip6-moon1
-fec0::1 ip6-moon.strongswan.org ip6-moon
-fec0::10 ip6-carol.strongswan.org ip6-carol
-fec3::1 ip6-carol1.strongswan.org ip6-carol1
-fec0::15 ip6-winnetou.strongswan.org ip6-winnetou
-fec0::20 ip6-dave.strongswan.org ip6-dave
-fec3::2 ip6-dave1.strongswan.org ip6-dave1
-fec0::2 ip6-sun.strongswan.org ip6-sun
-fec2::1 ip6-sun1.strongswan.org ip6-sun1
-fec2::10 ip6-bob.strongswan.org ip6-bob
-
-# IPv6 link-local HW derived addresses
-fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus
-fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice
-fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1
-fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon
-fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol
-fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
-fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave
-fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun
-fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1
-fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=%defaultroute
- leftnexthop=%direct
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn carol
- right=%carol.strongswan.org
- rightid=carol@strongswan.org
- rightsubnet=PH_IP_CAROL1/32
- auto=add
-
-conn dave
- right=%dave.strongswan.org
- rightid=dave@strongswan.org
- rightsubnet=PH_IP_DAVE1/32
- auto=add
+++ /dev/null
-carol::ipsec stop
-dave::ipsec stop
-moon::sleep 1
-moon::ipsec stop
-moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+++ /dev/null
-moon::mv /etc/hosts /etc/hosts.ori
-moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up moon
-dave::ipsec up moon
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The transport mode connection is
-tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::tcpdump::AH.*ESP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow AH
- iptables -A INPUT -i eth0 -p 51 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- auth=ah
- ike=aes128-sha
- esp=aes128-sha1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- type=transport
- auto=add
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow AH
- iptables -A INPUT -i eth0 -p 51 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- auth=ah
- ike=aes128-sha
- esp=aes128-sha1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightid=carol@strongswan.org
- type=transport
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
+++ /dev/null
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The tunnel mode connection is
-tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind
-gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::tcpdump::AH.*ESP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow AH
- iptables -A INPUT -i eth0 -p 51 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- auth=ah
- ike=aes128-sha
- esp=aes128-sha1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow AH
- iptables -A INPUT -i eth0 -p 51 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- auth=ah
- ike=aes128-sha
- esp=aes128-sha1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
+moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
+carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
+moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
carol::ip xfrm state::rfc3686(ctr(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- plutodebug="control crypt"
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac!</b>
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
the established tunnel.
-moon::ipsec statusall::rw.*IPsec SA established::YES
-carol::ipsec statusall::home.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES
-carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
+carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha384-modp2048!
- esp=aes256gmac!
+ ike=aes256-sha256-modp2048!
+ esp=aes256gmac-modp2048!
conn home
left=PH_IP_CAROL
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha384-modp2048!
- esp=aes256gmac!
+ ike=aes256-sha256-modp2048!
+ esp=aes256gmac-modp2048!
conn rw
left=PH_IP_MOON
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
+carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ip xfrm state::auth xcbc(aes)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=aes256-sha256-modp2048!
+ esp=aes256-aesxcbc!
+
+conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
-
-conn home
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=aes256-sha256-modp2048!
+ esp=aes256-aesxcbc!
conn rw
left=PH_IP_MOON
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes256-sha2_256-modp2048!
- esp=aes256-aesxcbc!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes256-sha2_256-modp2048!
- esp=aes256-aesxcbc!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
+++ /dev/null
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b>
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-moon::ip xfrm state::enc cbc(des)::YES
-carol::ip xfrm state::enc cbc(des)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-md5-modp1024!
- esp=des-md5!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-md5-modp1024!
- esp=des-md5!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b>
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
carol::ip xfrm state::enc ecb(cipher_null)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes-sha1
+ ike=aes128-sha1-modp2048!
esp=null-sha1!
conn home
left=PH_IP_CAROL
+ leftfirewall=yes
leftcert=carolCert.pem
leftid=carol@strongswan.org
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- auto=add
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes-sha1!
+ ike=aes128-sha1-modp2048!
esp=null-sha1!
conn rw
left=PH_IP_MOON
+ leftfirewall=yes
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
right=%any
- rightid=carol@strongswan.org
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
moon::ipsec stop
carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1
carol::ipsec up home
+carol::sleep 1
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
-
+++ /dev/null
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+++ /dev/null
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha1
- esp=3des-sha1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha1
- esp=aes128-sha1!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
-HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
-second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
-by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by applying the strict flag '!'.
-
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha,aes128-sha1
- esp=3des-sha1,aes128-sha1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha1
- esp=aes128-sha1!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
+++ /dev/null
-The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication
-as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
-not use an explicit <b>esp</b> statement any strong encryption algorithm will be
-accepted but any weak key length will be rejected by default and thus the ISAKMP SA
-is bound to fail.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control crypt"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-md5-modp1024!
- esp=des-md5!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyexchange=ikev1
conn host-host
- right=PH_IP_MOON
- rightcert=moonCert.pem
- rightid=@moon.strongswan.org
- rightfirewall=yes
left=PH_IP_SUN
+ leftcert=sunCert.pem
leftid=@sun.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
sun::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::sleep 1
moon::ipsec up host-host
# All UML instances that are required for this test
#
UMLHOSTS="moon winnetou sun"
-
+
# Corresponding block diagram
#
DIAGRAM="m-w-s.png"
-
+
# UML instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
+++ /dev/null
-Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
-swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
+++ /dev/null
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn host-host
- right=PH_IP_SUN
- rightcert=sunCert.pem
- rightfirewall=yes
- rightid=@sun.strongswan.org
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-host
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon winnetou sun"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-w-s.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rightid=@moon.strongswan.org
type=transport
auto=add
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
+++ /dev/null
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
+++ /dev/null
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha1
- esp=3des-sha1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha1!
- esp=aes128-sha1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-##!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place
-and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA.
-The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!',
-but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
-defines itself <b>esp=aes128-sha1</b> only.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES
-carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha1,aes128-sha1
- esp=3des-sha1,aes128-sha1
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128-sha1!
- esp=aes128-sha1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightid=carol@strongswan.org
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Using Mode Config push mode (<b>modeconfig=push</b>) the gateway <b>moon</b> assigns virtual
-IP addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
-<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
+++ /dev/null
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::starting ModeCfg server in push mode::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- modeconfig=push
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- rekey=no
- keyexchange=ikev1
- modeconfig=push
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=%bigpool
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
-}
-
-libhydra {
- plugins {
- attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
- }
- }
-}
-
-pool {
- load = sqlite
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::ipsec pool --del bigpool 2> /dev/null
-moon::ipsec pool --del dns 2> /dev/null
-moon::ipsec pool --del nbns 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
+++ /dev/null
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP
addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
carol::ip addr list dev eth0::PH_IP_CAROL1::YES
carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- rekey=no
keyexchange=ikev1
conn rw
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
}
libhydra {
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
moon::ipsec pool --del bigpool 2> /dev/null
moon::ipsec pool --del dns 2> /dev/null
moon::ipsec pool --del nbns 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null
moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null
moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --statusattr
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv1 Mode Config payload
-by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
-IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
-increasing order.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
-the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
-pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+++ /dev/null
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec leases rw::2/15, 2 online::YES
-moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
-moon::ipsec statusall::rw.*carol@strongswan.org.*erouted::YES
-moon::ipsec statusall::rw.*dave@strongswan.org.*erouted::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
-named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
-both ping the gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=%defaultroute
- leftsourceip=%config
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON1
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
- iptables -A INPUT -i eth1 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
- iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
- iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # masquerade crl fetches to winnetou
- iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
-
-conn int
- left=PH_IP_MOON1
- rightsourceip=%intpool
- auto=add
-
-conn ext
- left=PH_IP_MOON
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
-}
-
-libhydra {
- plugins {
- attr-sql {
- database = sqlite:///etc/ipsec.d/ipsec.db
- }
- }
-}
-
-pool {
- load = sqlite
-}
+++ /dev/null
-carol::ipsec stop
-alice::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via PH_IP_MOON
-moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
-moon::conntrack -F
-moon::ipsec pool --del intpool 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
+++ /dev/null
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null
-moon::ip route add 10.3.0.0/16 via PH_IP_MOON
-moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
+++ /dev/null
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined
-by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and
-both ping the gateway <b>moon</b>.
+++ /dev/null
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases int::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=%defaultroute
- leftsourceip=%config
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON1
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%config
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
- iptables -A INPUT -i eth1 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
- iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MobIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
- iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # masquerade crl fetches to winnetou
- iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
-
-conn int
- left=PH_IP_MOON1
- rightsourceip=10.4.0.0/28
- auto=add
-
-conn ext
- left=PH_IP_MOON
- rightsourceip=10.3.0.0/28
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-alice::ipsec stop
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via 192.168.0.1
-moon::ip route del 10.4.0.0/16 via 10.1.0.1
-moon::conntrack -F
-moon::rm /etc/ipsec.d/ipsec.*
+++ /dev/null
-moon::ip route add 10.3.0.0/16 via 192.168.0.1
-moon::ip route add 10.4.0.0/16 via 10.1.0.1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. After setting up an IPsec SA to reach
-the hosts <b>alice</b> and <b>venus</b>, respectively, both roadwarriors set up a second
-IPsec SA to <b>venus</b> and <b>alice</b>, respectively, inheriting the virtual IP address
-from the previous Mode Config negotiation.
+++ /dev/null
-carol::cat /var/log/auth.log::alice.*setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::cat /var/log/auth.log::venus.*inheriting virtual IP source address PH_IP_CAROL1 from ModeCfg::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::cat /var/log/auth.log::venus.*setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::cat /var/log/auth.log::alice.*inheriting virtual IP source address PH_IP_DAVE1 from ModeCfg::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::carol-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP carol1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP dave1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn alice
- also=home
- rightsubnet=10.1.0.10/32
- auto=add
-
-conn venus
- also=home
- rightsubnet=10.1.0.20/32
- auto=add
-
-conn home
- left=192.168.0.100
- leftsourceip=%modeconfig
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=192.168.0.1
- rightid=@moon.strongswan.org
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn alice
- also=home
- rightsubnet=10.1.0.10/32
- auto=add
-
-conn venus
- also=home
- rightsubnet=10.1.0.20/32
- auto=add
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%modeconfig
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=192.168.0.1
- leftsourceip=10.1.0.1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn carol-alice
- also=carol
- leftsubnet=10.1.0.10/32
- rightsourceip=10.3.0.1
- auto=add
-
-conn carol-venus
- also=carol
- leftsubnet=10.1.0.20/32
- rightsourceip=%carol-alice
- auto=add
-
-conn carol
- right=%any
- rightid=carol@strongswan.org
-
-conn dave-alice
- also=dave
- leftsubnet=10.1.0.10/32
- rightsourceip=10.3.0.2
- auto=add
-
-conn dave-venus
- also=dave
- leftsubnet=10.1.0.20/32
- rightsourceip=%dave-alice
- auto=add
-
-conn dave
- right=%any
- rightid=dave@strongswan.org
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
- dns1 = PH_IP_WINNETOU
- dns2 = PH_IP6_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice venus"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. By setting the option <b>modeconfig=push</b>
-on both the roadwarriors and the gateway, the Mode Config server <b>moon</b> will actively push
-the configuration down to <b>carol</b> and <b>dave</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will
-be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
+++ /dev/null
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- rekey=no
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%modeconfig
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- modeconfig=push
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%modeconfig
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- modeconfig=push
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- modeconfig=push
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn rw-carol
- right=%any
- rightid=carol@strongswan.org
- rightsourceip=PH_IP_CAROL1
- auto=add
-
-conn rw-dave
- right=%any
- rightid=dave@strongswan.org
- rightsourceip=PH_IP_DAVE1
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
- dns1 = PH_IP_WINNETOU
- dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with
-swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
+++ /dev/null
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- right=PH_IP_CAROL
- rightsourceip=%modeconfig
- rightcert=carolCert.pem
- rightid=carol@strongswan.org
- rightfirewall=yes
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- right=PH_IP_DAVE
- rightsourceip=%modeconfig
- rightcert=daveCert.pem
- rightid=dave@strongswan.org
- rightfirewall=yes
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightsourceip=PH_IP_MOON1
- rightcert=moonCert.pem
- rightid=@moon.strongswan.org
- rightfirewall=yes
-
-conn rw-carol
- left=%any
- leftid=carol@strongswan.org
- leftsourceip=PH_IP_CAROL1
- auto=add
-
-conn rw-dave
- left=%any
- leftid=dave@strongswan.org
- leftsourceip=PH_IP_DAVE1
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%modeconfig
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
- dns1 = PH_IP_WINNETOU
- dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
--- /dev/null
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the responders <b>carol</b> and <b>dave</b>, respectively.
--- /dev/null
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
-conn home
+conn alice
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+ rightsubnet=PH_IP_ALICE/32
auto=add
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+
+conn venus
left=PH_IP_DAVE
leftcert=daveCert.pem
leftid=dave@strongswan.org
+ leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
rightsubnet=PH_IP_VENUS/32
auto=add
-
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
+ plutostart=no
ca strongswan
cacert=strongswanCert.pem
keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
+ leftsendcert=ifasked
leftid=@moon.strongswan.org
conn alice
leftsubnet=PH_IP_ALICE/32
- right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+ right=PH_IP_CAROL
+ rightid=carol@strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+ auto=add
+
+conn venus
+ leftsubnet=PH_IP_VENUS/32
+ right=PH_IP_DAVE
+ rightid=dave@strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
moon::echo 1 > /proc/sys/net/ipv4/ip_forward
carol::ipsec start
+dave::ipsec start
moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+moon::sleep 2
+moon::ipsec up alice
+moon::ipsec up venus
--- /dev/null
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>, respectively.
--- /dev/null
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
+ leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
conn alice
rightsubnet=PH_IP_ALICE/32
auto=add
-
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
+ leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
conn venus
rightsubnet=PH_IP_VENUS/32
auto=add
-
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
+ plutostart=no
ca strongswan
cacert=strongswanCert.pem
keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
+ leftsendcert=ifasked
leftid=@moon.strongswan.org
conn alice
leftsubnet=PH_IP_ALICE/32
right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
conn venus
leftsubnet=PH_IP_VENUS/32
right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
auto=add
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
carol::sleep 2
carol::ipsec up alice
-carol::ipsec up venus
dave::ipsec up venus
-dave::ipsec up alice
+++ /dev/null
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
-connection setups can be successfully completed.
+++ /dev/null
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow ldap crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-ca research
- cacert=researchCert.pem
- crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-ca sales
- cacert=salesCert.pem
- crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn alice
- leftsubnet=PH_IP_ALICE/32
- right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
- auto=add
-
-conn venus
- leftsubnet=PH_IP_VENUS/32
- right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
- auto=add
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+++ /dev/null
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
+++ /dev/null
-The roadwarrior <b>carol</b>, possessing a certificate issued by the
-Research CA, tries to set up a tunnel to gateway <b>moon</b>.
-The Research CA's certificate is signed by the Sales CA and
-the Sales CA's certificate in turn is signed by the Research CA.
-This leads to an endless trust path loop but which is aborted by
-<b>moon</b> when the path level reaches a depth of 7 iterations.
+++ /dev/null
-moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn alice
- leftsubnet=PH_IP_ALICE/32
- right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
-CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
-rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
-BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
-4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
-m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
-/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
-x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
-ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
-bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
-hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
-WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
-02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
-yuVPkDSgPds6m0KQcEVnuaU=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
-OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
-BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
-/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
-4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
-XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
-kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
-gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
-p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
-ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
-qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
-MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
-Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
-EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
-aeDWsllgAdqMA2fL7i9tsFHZVYk=
------END CERTIFICATE-----
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
-but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
-issues an end entity certificate to roadwarrior <b>carol</b> so that the total
-path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
-the negotiation.
+++ /dev/null
-moon::cat /var/log/auth.log::path length of 2 violates constraint of 1::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::duck.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
-c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn duck
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftsendcert=ifasked
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- right=%any
- rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
------END CERTIFICATE-----
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
-The certificate of the Research CA has been revoked by the Root CA by entering
-the serial number in the CRL. Therefore upon verification of the trust path
-the gateway <b>moon</b> will reject the roadwarrior's certificate
+++ /dev/null
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
------END CERTIFICATE-----
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched first, before the connection setups can be successfully completed.
+++ /dev/null
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
-
-
-
-
-
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
-FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
-cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
-POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
-xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
-dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
-8sFmiZI=
------END CERTIFICATE-----
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
-carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
conn alice
rightsubnet=PH_IP_ALICE/32
conn venus
rightsubnet=PH_IP_VENUS/32
auto=add
-
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
leftsendcert=ifasked
right=PH_IP_MOON
rightid=@moon.strongswan.org
+ rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
conn alice
rightsubnet=PH_IP_ALICE/32
conn venus
rightsubnet=PH_IP_VENUS/32
auto=add
-
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
ca strongswan
cacert=strongswanCert.pem
right=%any
rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
auto=add
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
+++ /dev/null
-An IPsec tunnel connecting the gateway <b>moon</b> with the subnet behind
-gateway <b>sun</b> is set up. This host-to-net connection can also be
-used by the clients <b>alice</b> and <b>venus</b> via the trick of NAT-ing
-them to the outer IP address of gateway <b>moon</b> prior to tunnelling.
-The IPsec tunnel is first tested by <b>moon</b> pinging <b>bob</b> and vice versa,
-followed by the NAT-ed clients <b>alice</b> and <b>venus</b> pinging <b>bob</b>.
+++ /dev/null
-moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::ICMP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # NAT traffic from 10.1.0.0/16
- iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
-
- # forward traffic from 10.1.0.0/16 to POSTROUTING chain
- iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT
- iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn host-net
- left=192.168.0.1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=192.168.0.2
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn host-net
- left=192.168.0.2
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftfirewall=yes
- leftsubnet=10.2.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::iptables -t nat -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+++ /dev/null
-alice::ipsec stop
-sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
+++ /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-sun::ipsec start
-alice::sleep 5
-alice::ipsec up nat-t
-
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
--- /dev/null
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: sleep 6::no output expected::NO
+bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- authby=secret
conn nat-t
- left=%defaultroute
+ left=%any
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
leftfirewall=yes
right=PH_IP_SUN
+ rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- authby=secret
-
+
conn nat-t
left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
leftfirewall=yes
+ leftsubnet=10.2.0.0/16
right=%any
- rightsubnetwithin=10.1.0.0/16
+ rightsubnet=10.1.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- authby=secret
-
+
conn nat-t
- left=%defaultroute
+ left=%any
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
leftfirewall=yes
right=PH_IP_SUN
+ rightid=@sun.strongswan.org
rightsubnet=10.2.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ keep_alive = 5
+}
alice::ipsec start
venus::ipsec start
sun::ipsec start
-alice::sleep 5
+alice::sleep 2
alice::ipsec up nat-t
-venus::sleep 5
+venus::sleep 2
venus::ipsec up nat-t
+venus::sleep 2
+++ /dev/null
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark</b> parameter in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn nat-t
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control parsing" #parsing to get knl 2 messages
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn alice
- rightid=alice@strongswan.org
- mark=10/0xffffffff
- also=sun
- auto=add
-
-conn venus
- rightid=@venus.strongswan.org
- mark=20 #0xffffffff is used by default
- also=sun
- auto=add
-
-conn sun
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftupdown=/etc/mark_updown
- right=%any
- rightsubnet=10.1.0.0/25
+++ /dev/null
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the requid of the ESP policy
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK="-p esp"
- fi
- SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-host:)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-down-host:)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn nat-t
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=venusCert.pem
- leftid=@venus.strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
-sun::rm /etc/mark_updown
+++ /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2
-alice::ipsec up nat-t
-venus::sleep 2
-venus::ipsec up nat-t
-venus::sleep 2
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
+++ /dev/null
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping the client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
-sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 5
-alice::ipsec up nat-t
-venus::sleep 5
-venus::ipsec up nat-t
+++ /dev/null
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*alice@strongswan.org::YES
-sun::ipsec status::nat-t.*venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+++ /dev/null
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
-conn net-net
+conn net-net
left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
leftfirewall=yes
right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org
- auto=route
+ rightsubnet=10.2.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
- keyingtries=1
+ keyingtries=1
keyexchange=ikev1
-conn net-net
+conn net-net
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
leftfirewall=yes
- leftsubnet=0.0.0.0/0
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
sun::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
sun::/etc/init.d/iptables stop 2> /dev/null
+
sun::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
sun::ipsec start
-moon::sleep 2
+moon::sleep 1
moon::ipsec up net-net
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+++ /dev/null
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control parsing"
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.asc
- leftid=@#71270432cd763a18020ac988c0e75aed
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightcert=sunCert.asc
- auto=add
+++ /dev/null
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-Type Bits/KeyID Date User ID
-sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftcert=sunCert.asc
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=moonCert.asc
- rightid=@#71270432cd763a18020ac988c0e75aed
- auto=add
+++ /dev/null
-Type Bits/KeyID Date User ID
-pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-Type Bits/KeyID Date User ID
-pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-Type Bits/KeyID Date User ID
-sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+++ /dev/null
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control parsing"
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.asc
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightcert=sunCert.asc
- rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
- auto=add
+++ /dev/null
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx
-nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/
-Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX
-BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK
-BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN
-S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI
-MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O
-GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8
-mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi
-RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey
-iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv
-vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC
-AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3
-Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o
-Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC
-GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL
-ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94
-N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk
-mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS
-26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs
-AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O
-MzxgEWTtyNTtGw==
-=Vb4y
------END PGP PRIVATE KEY BLOCK-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.asc
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftcert=sunCert.asc
- leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=moonCert.asc
- auto=add
+++ /dev/null
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt
-Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh
-9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn
-VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN
-P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw
-bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV
-5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy
-0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR
-mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H
-1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB
-P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt
-EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd
-B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr
-GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv
-JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb
-AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs
-QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY
-6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa
-WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR
-jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV
-aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr
-J0tAsvODgc8b
-=QOF4
------END PGP PRIVATE KEY BLOCK-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA sunKey.asc
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and
-<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b>
-(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not
-match, so that the responder cannot decrypt ISAKMP message MI3. The resulting
-encrypted notification message cannot in turn be read by the initiator
-<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of
-PAYLOAD_MALFORMED messages is suppressed.
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the
+IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error
+notify which in turn cannot be decrypted by <b>moon</b>.
-moon::cat /var/log/auth.log::malformed payload in packet::YES
-sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES
-sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES
-moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO
-sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO
-
+sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES
+sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES
+moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES
+moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
authby=secret
-
+ keyexchange=ikev1
+
conn net-net
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
+ leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
authby=secret
-
+ keyexchange=ikev1
+
conn net-net
left=PH_IP_SUN
leftsubnet=10.2.0.0/16
leftid=@sun.strongswan.org
+ leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
}
moon::ipsec stop
sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
moon::sleep 2
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
+++ /dev/null
-A tunnel that will connect the subnets behind the gateways <b>moon</b>
-and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
-on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
-A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
-<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
-leads to the automatic establishment of the subnet-to-subnet tunnel.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
+++ /dev/null
-moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-alice::ping -c 10 PH_IP_BOB
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>raw RSA keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+++ /dev/null
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA {
- # RSA 2048 bits moon.strongswan.org Wed Dec 8 21:41:27 2004
- # for signatures only, UNSAFE FOR ENCRYPTION
- #pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
- Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63
- PublicExponent: 0x03
- # everything after this point is secret
- PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7
- Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f
- Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d
- Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff
- Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213
- Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339
- }
-# do not change the indenting of that "}"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_SUN
- leftsubnet=10.2.0.0/16
- leftid=@sun.strongswan.org
- leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA {
- # RSA 2048 bits sun.strongswan.org Wed Dec 8 21:44:27 2004
- # for signatures only, UNSAFE FOR ENCRYPTION
- #pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
- Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253
- PublicExponent: 0x03
- # everything after this point is secret
- PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db
- Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb
- Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839
- Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47
- Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b
- Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a
- }
-# do not change the indenting of that "}"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
-and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
-sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
-sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
-done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
-<p/>
-Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
-<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
-connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
-the necessary NETMAP operations and forward the tunneled traffic.
-<p/>
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
+++ /dev/null
-moon::ipsec statusall::net-net.*IPsec SA established::YES
-sun::ipsec statusall::net-net.*IPsec SA established::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.0.0.0/14
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.4.0.0/14
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.4.0.0/14
- leftupdown=/etc/mark_updown
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.0.0.0/14
- mark_in=8
- mark_out=4
- auto=add
+++ /dev/null
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the requid of the ESP policy
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-# define NETMAP
-SAME_NET=$PLUTO_PEER_CLIENT
-IN_NET=$PLUTO_MY_CLIENT
-OUT_NET="10.8.0.0/14"
-
-# define internal interface
-INT_INTERFACE="eth1"
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK_IN="-p esp"
- fi
- SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# is there an outbound mark to be set?
-if [ -n "$PLUTO_MARK_OUT" ]
-then
- SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK_IN
- iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -d $IN_NET -j NETMAP --to $SAME_NET
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
- iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -s $SAME_NET -j NETMAP --to $OUT_NET
- fi
- if [ -n "$PLUTO_MARK_OUT" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK_OUT
- iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
- -d $OUT_NET -j NETMAP --to $SAME_NET
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
- iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
- -s $SAME_NET -j NETMAP --to $IN_NET
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK_IN
- iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
- -d $IN_NET -j NETMAP --to $SAME_NET
- iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
- -s $SAME_NET -j NETMAP --to $OUT_NET
- fi
- if [ -n "$PLUTO_MARK_OUT" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK_OUT
- iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
- fi
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-sun::iptables -t mangle -n -v -L PREROUTING
-sun::iptables -t nat -n -v -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::conntrack -F
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
-respectively, is automatically established by means of the setting
-<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
-behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
+++ /dev/null
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=start
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-alice::sleep 20
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
+++ /dev/null
-This scenario tests whether the correct encrypted informational messages are
-generated by the initiator <b>carol</b> and subsequently decoded by the
-responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she
-doesn't have a private RSA key to sign her hash with.
+++ /dev/null
-carol::cat /var/log/auth.log::unable to locate my private key::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# missing private RSA key
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around the OCSP response will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail..
+++ /dev/null
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listocsp:: revoked::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- ocspuri=http://ocsp.strongswan.org:8880
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolRevokedCert.pem
- leftid=carol@strongswan.org
-
-conn home
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolRevokedKey.pem
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- ocspuri=http://ocsp.strongswan.org:8880
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around, the OCSP response will be available
-and the IKE negotiation completes.
+++ /dev/null
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listocsp:: good::YES
-carol::ipsec listocsp:: good::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- ocspuri=http://ocsp.strongswan.org:8880
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
-
-conn home
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
-
-ca strongswan
- cacert=strongswanCert.pem
- ocspuri=http://ocsp.strongswan.org:8880
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn net-net
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
- rightsubnet=10.2.0.0/16
- rightid=@sun.strongswan.org
- auto=add
-
-conn host-host
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- auto=add
-
-conn rw
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled
-to the gateway <b>sun</b> using the 0.0.0.0/0 network mask. In order
-to prevent local subnet traffic from escaping through the tunnel, a
-passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>.
-A series of internal and external pings verifies the correct
-functioning of the setup.
+++ /dev/null
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- right=PH_IP_SUN
-
-conn net-net
- rightsubnet=0.0.0.0/0
- rightid=@sun.strongswan.org
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftsourceip=10.1.0.1
- leftfirewall=yes
- lefthostaccess=yes
- auto=add
-
-conn pass
- rightsubnet=10.1.0.0/16
- type=passthrough
- authby=never
- auto=route
+++ /dev/null
-moon::ipsec stop
-sun::ipsec stop
-moon::ip route flush table 50
-moon::ip rule del table 50
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I INPUT -i eth1 -s 10.1.0.0/16 -j ACCEPT
-moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT
-moon::ip rule add pref 50 table 50
-moon::ip route add 192.168.0.254 via PH_IP_MOON table 50
-moon::ip route add 10.1.0.0/16 via PH_IP_MOON1 table 50
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is
-restricted to the ICMP protocol. Upon the successful establishment of the
-IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based
-firewall rules that let pass the tunneled ICMP traffic. In order to test
-both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b> as well as the inner interface of the gateway.
-For the latter ping <b>lefthostaccess=yes</b> is required.
-<p>
-By default, the native IPsec stack of the Linux 2.6 kernel transmits
-protocols and ports not covered by any IPsec SA in the clear. Thus by
-selectively opening the firewalls, <b>carol</b> sets up an SSH session to
-<b>alice</b> that is not going through the tunnel.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home-icmp
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftcert=carolCert.pem
- leftprotoport=icmp
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightprotoport=icmp
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn rw-icmp
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftprotoport=icmp
- leftid=@moon.strongswan.org
- leftcert=moonCert.pem
- leftfirewall=yes
- lefthostaccess=yes
- right=%any
- rightprotoport=icmp
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-carol::ip route del 10.1.0.0/16 via PH_IP_MOON
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT
-moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::iptables -I INPUT -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
-carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
-carol::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home-icmp
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. Using <b>add=route</b> %trap
-eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
-a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
-is triggered and the corresponding IPsec tunnel is set up. In the same
-way an ssh session to <b>alice</b> over the second IPsec SA is established.
+++ /dev/null
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
-carol::ssh PH_IP_ALICE hostname::alice::YES
-carol::cat /var/log/auth.log::initiate on demand::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=route
-
-conn home-icmp
- leftprotoport=icmp
- rightprotoport=icmp
-
-conn home-ssh
- leftprotoport=tcp
- rightprotoport=tcp/ssh
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- leftsubnet=10.1.0.0/16
- right=%any
- auto=add
-
-conn rw-icmp
- lefthostaccess=yes
- leftprotoport=icmp
- rightprotoport=icmp
-
-conn rw-ssh
- leftprotoport=tcp/ssh
- rightprotoport=tcp
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 3
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_MOON1 > /dev/null
-carol::sleep 2
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a
-PKCS#1 RSA private key and a PKCS#10 certificate request using the
-<b>ipsec scepclient</b> function. Because the UML testing environment
-does not offer enough entropy, the non-blocking /dev/urandom device is
-used in place of /dev/random for generating the random primes.
-<p>
-The certificate requests are copied to <b>winnetou</b> where a certification
-authority based on OpenSSL issues X.509 certificates by verifying and
-signing the PCKS#10 requests. The certificates are then copied back to
-the corresponding hosts and used to set up a road warrior connection
-initiated by <b>carol</b>
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftcert=myCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
+++ /dev/null
---debug-control
---out pkcs1
---out pkcs10
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
+++ /dev/null
---debug-control
---keylength 2064
---out pkcs1=moonKey.der
---out pkcs10=moonReq.der
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/reqs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/reqs/*
-winnetou::rm /etc/openssl/carol*
-winnetou::rm /etc/openssl/moon*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::cat /etc/scepclient.conf
-carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der
-winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt
-winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/
-winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt
-winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/
-carol::sleep 2
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication is
+based on <b>X.509 certificates</b>. Upon the successful establishment of the IPsec
+tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the tunneled traffic. In order to test both tunnel and
+firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind
+the gateway <b>moon</b>.
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
+ charondebug="job 2"
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ aggressive=yes
conn home
left=PH_IP_CAROL
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
+ charondebug="job 2"
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ aggressive=yes
conn home
left=PH_IP_DAVE
- leftsourceip=%modeconfig
leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
-
-
-
-
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ aggressive=yes
conn rw
left=PH_IP_MOON
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-dave::ip addr del 10.3.0.2/32 dev eth0
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
carol::ipsec start
dave::ipsec start
-moon::ipsec start
-carol::sleep 2
+carol::sleep 1
carol::ipsec up home
dave::ipsec up home
-carol::sleep 1
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> pings the client
-<b>alice</b> behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+
+conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
-
-conn home
+ leftfirewall=yes
right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = yes
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- strictcrlpolicy=no
- crlcheckinterval=180
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn home
left=PH_IP_DAVE
- leftcert=daveCert-sha512.pem
+ leftcert=daveCert.pem
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+ integrity_test = yes
+ crypto_test {
+ on_add = yes
+ }
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- cachecrls=yes
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+
+conn rw
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
-
-conn rw
leftsubnet=10.1.0.0/16
+ leftfirewall=yes
right=%any
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
integrity_test = yes
moon::ipsec stop
carol::ipsec stop
+dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
+dave::/etc/init.d/iptables start 2> /dev/null
moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
carol::ipsec up home
+dave::ipsec up home
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
+++ /dev/null
-alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn alice
- rightid=alice@strongswan.org
- mark_in=10/0xffffffff
- mark_out=11/0xffffffff
- also=sun
- auto=add
-
-conn venus
- rightid=@venus.strongswan.org
- mark_in=20 #0xffffffff is used by default
- mark_out=21 #0xffffffff is used by default
- also=sun
- auto=add
-
-conn sun
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftsubnet=10.2.0.0/16
- leftupdown=/etc/mark_updown
- right=%any
- rightsubnet=10.1.0.0/25
+++ /dev/null
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_REQID
-# is the requid of the ESP policy
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-iptables:iptables) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
- if [ -n "$PLUTO_UDP_ENC" ]
- then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
- else
- SET_MARK="-p esp"
- fi
- SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-host:)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-down-host:)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
- #
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -A PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection setup
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- if [ -n "$PLUTO_MARK_IN" ]
- then
- iptables -t mangle -D PREROUTING $SET_MARK
- fi
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- fi
- #
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
- then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- fi
- #
- # log IPsec client connection teardown
- if [ $VPN_LOGGING ]
- then
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- fi
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow ESP
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow MOBIKE
- iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=%defaultroute
- leftsubnet=10.1.0.0/25
- leftcert=venusCert.pem
- leftid=@venus.strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
- rightsubnet=10.2.0.0/16
- auto=add
+++ /dev/null
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::conntrack -F
-sun::rm /etc/mark_updown
-moon::iptables -t nat -F
-moon::conntrack -F
+++ /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-sun::ip route add 10.1.0.0/16 via PH_IP_MOON
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2
-alice::ipsec up home
-venus::sleep 2
-venus::ipsec up home
-venus::sleep 2
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication
+is based on distinct <b>pre-shared keys</b> and <b>Fully Qualified Domain Names</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the
+client <b>alice</b> behind the gateway <b>moon</b>.
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ authby=secret
+ aggressive=yes
conn home
- authby=secret
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
authby=secret
+ aggressive=yes
conn home
- left=PH_IP_CAROL
- leftid=@carol.strongswan.org
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
-
-conn rw-psk
authby=secret
+ aggressive=yes
+
+conn rw
left=PH_IP_MOON
- leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
+ leftid=@moon.strongswan.org
leftfirewall=yes
right=%any
auto=add
--- /dev/null
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
carol::ipsec start
dave::ipsec start
+moon::ipsec start
carol::sleep 2
carol::ipsec up home
dave::ipsec up home
+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN).
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
-<p>
-The significant difference between this scenario and the test
-<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a>
-is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway
-<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>.
-</p>
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=secret
-
-conn rw-carol
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=%any
- rightid=@carol.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN).
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn home
left=PH_IP_CAROL
- leftid=@carol.strongswan.org
+ leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ authby=secret
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: RSA carolKey.pem
+dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
authby=secret
+
+conn rw-carol
+ also=rw
+ right=PH_IP_CAROL
+ rightid=carol@strongswan.org
+ auto=add
+
+conn rw-dave
+ also=rw
+ right=PH_IP_DAVE
+ rightid=dave@strongswan.org
+ auto=add
conn rw
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftfirewall=yes
- right=%any
- auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
moon::ipsec stop
carol::ipsec stop
+dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
carol::ipsec start
+dave::ipsec start
moon::ipsec start
carol::sleep 2
carol::ipsec up home
+dave::ipsec up home
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR).
-<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ authby=secret
+
+conn home
+ left=PH_IP_DAVE
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-: RSA carolRevokedKey.pem
+192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
keyingtries=1
keyexchange=ikev1
authby=secret
+
+conn rw-carol
+ also=rw
+ right=PH_IP_CAROL
+ auto=add
+
+conn rw-dave
+ also=rw
+ right=PH_IP_DAVE
+ auto=add
conn rw
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftfirewall=yes
- right=%any
- auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+192.168.0.1 192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+192.168.0.1 192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
}
moon::ipsec stop
carol::ipsec stop
+dave::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
carol::ipsec start
+dave::ipsec start
moon::ipsec start
carol::sleep 2
carol::ipsec up home
+dave::ipsec up home
# All UML instances that are required for this test
#
-UMLHOSTS="alice moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
# UML instances on which tcpdump is to be started
#
# UML instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based
-authentication only, the connection setup fails.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
-<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
-is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
-and automatically selects the correct roadwarrior connection definition based on policy
-information gained from pre-parsing the peers' ISAKMP proposal payload.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes128,serpent128,twofish128,3des
-
-conn home
- authby=secret
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
-
-conn rw-rsasig
- authby=rsasig
- leftcert=moonCert.pem
- auto=add
-
-conn rw-psk
- authby=secret
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-: RSA moonKey.pem
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+++ /dev/null
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol dave winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based
-authentication only, the connection setup fails.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a
-PKCS#1 RSA private key and a self-signed X.509 certificate
-using the <b>ipsec scepclient</b> function. Because the UML testing
-environment does not offer enough entropy, the non-blocking /dev/urandom
-device is used in place of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b>
+++ /dev/null
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=0
- strictcrlpolicy=no
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftcert=selfCert.der
- leftsendcert=never
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightcert=peerCert.der
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A INPUT -p tcp --sport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=0
- strictcrlpolicy=no
- nocrsend=yes
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn carol
- left=PH_IP_MOON
- leftcert=moonCert.der
- leftid=@moon.strongswan.org
- leftsendcert=never
- leftfirewall=yes
- leftsubnet=10.1.0.0/16
- right=%any
- rightcert=carolCert.der
- auto=add
-
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
+++ /dev/null
---debug-control
---keylength 2032
---days 1460
---subjectAltName dns=moon.strongswan.org
---out pkcs1=moonKey.der
---out cert-self=moonCert.der
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec scepclient --out pkcs1 --out cert-self
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der
-moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form. A closed also loop created by including
-<b>conn host-host</b> in <b>conn moon</b> is successfully detected.
+++ /dev/null
-moon::cat /var/log/auth.log::detected also loop::YES
-moon::cat /var/log/auth.log::errors in config::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- also=host-host
- also=moon-net
- also=sun-net
-
-conn host-host
- also=moon
- also=sun
- auto=add
-
-conn rw
- right=%any
- also=moon
- also=moon-net
- auto=add
-
-conn moon
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- also=host-host
-
-conn moon-net
- leftsubnet=10.1.0.0/16
-
-conn sun
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
-
-conn sun-net
- rightsubnet=10.2.0.0/16
+++ /dev/null
-moon::ipsec start --debug-all
-moon::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon"
+++ /dev/null
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn net-net
- also=host-host
- also=moon-net
- also=sun-net
-
-conn host-host
- also=moon
- also=sun
- auto=add
-
-conn rw
- right=%any
- also=moon
- also=moon-net
- auto=add
-
-conn moon
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
-conn moon-net
- leftsubnet=10.1.0.0/16
-
-conn sun
- right=PH_IP_SUN
- rightid=@sun.strongswan.org
-
-conn sun-net
- rightsubnet=10.2.0.0/16
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-This test is based on the <a href="../mode-config">mode-config</a>
-scenario and demonstrates the multiple use of the <b>include</b>
-parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b>
-defines the config setup section and includes <b>/etc/ipsec.connections</b>
-which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b>
-thereby showing the use of wildcards in path definitions.
+++ /dev/null
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%modeconfig
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-include /etc/ipsec.connections
+++ /dev/null
-# /etc/ipsec.connections - connection definitions
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-include /etc/ipsec.host
-
-include /etc/ipsec.peers/*
-
+++ /dev/null
-# /etc/ipsec.host - my host configuration
-
-conn %default
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftsourceip=PH_IP_MOON1
- leftnexthop=%direct
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
-
+++ /dev/null
-# /etc/ipsec.peers/ipsec.carol - connection from carol
-
-conn rw-carol
- right=%any
- rightid=carol@strongswan.org
- rightsourceip=PH_IP_CAROL1
- auto=add
-
+++ /dev/null
-# /etc/ipsec.peers/ipsec.dave - connection from dave
-
-conn rw-dave
- right=%any
- rightid=dave@strongswan.org
- rightsourceip=PH_IP_DAVE1
- auto=add
-
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::rm /etc/ipsec.connections /etc/ipsec.host
-moon::rm -r /etc/ipsec.peers
+++ /dev/null
-moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/*
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-This is a remote-access scenario with two roadwarriors <b>carol</b> and <b>dave</b>
-setting up a connection each to the VPN gateway <b>moon</b>. Authentication is
-based on strong X.509 certificates with SHA-2 signatures.
-The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
-its signature whereas the certificates of the roadwarriors <b>carol</b>
-and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- strictcrlpolicy=no
- crlcheckinterval=180
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert-sha384.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
-ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
-7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
-DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
-hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
-xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
-ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
-BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
-c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
-/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
-4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
-BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
-5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
-hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
-6oXDLZM=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv7otSsjbH
-4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0DvtT6CWn
-nxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoShLjwuqq2
-eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9xAh32ywd
-10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkOZLZYzBqJ
-RpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABAoIBAQCMhpbjwXWLLd5r
-A18DYDv5PPXpvCdCMfG9swPNMnfnVUQrbpCmPn3iEX2/uShrEaapKXNclf1yY1bL
-xAr43mCmK0lcu9fX+A2vLyOjCrbm8IIcwRDt5NTWd3+6D6xSierBM8TE480PdW9s
-5v7WzRMLvkWjHIkekrsMNYozTWzRC6MgO99hzalWzKSeHHxlieoG7sN8KQ0hmwO+
-lMR6XDwrEnENbDbX//rbPjD4gdkqwAzCyf2IMNAHefAJUrjll2t1aQNknGwpDaAS
-g8Il7iAwIxoP2SrJ89K4Wq4Ifq+tLeX1sjwF0IESi41xNZZ/CrLiJbIPZSyBVRvx
-wwzObUPBAoGBAO6Gu2QaUoIZWpIL5TcAbQIGUx4FPKy2FbKWnU6VL9fmw8DGqKC0
-WX/CCSBmYHQyvlozutX4g8PI6YfgbbuPpgt/yJeLO+33PZK2Cps0//0EmEIvZ7ZM
-kOV+PRNuDIlKQNCaD8LdAcp0KSUc8vo3BAYArrjd1WZze85tqgAHmKR/AoGBAMWZ
-YkyQwBE0+W9P5gmGwuc+q2T3SjpGXjtzyo63K6ra892u49xIklfvNZ3PlgNbTSCo
-tTZLfwRu2uRhh2C8ZsjwfdpMAdT0BNCqEXtdp8JBJiNmrvY17NrSJnMginvu26qM
-QbsaF2Q1BV7OMZHvjgYrCqgokUGcJY6A0OlftjixAoGBALa3mPbOvyOP/nRgDl86
-wUZKyAL4Kgl3llluzOP0nmi6Cnwy8dvhK6oVXl5mbj603GJGvDnKnE0vK819WzHR
-kXW/lk6YRvk8avtm3esVB3+vtF8G52CbeGeEc47dv1av/cSOL8KrAAMxRo96hJqt
-6DQc87sDm8RWdKGmGhLZvtFLAoGAA+bJaBWblTtkiWwccKe2hXZZT/8J+iiVh7r7
-juHS/Oah1giz+w97xDy25EzK+3n8Bd8O5OmMsnu12riKQcC2jtUgxwSlLJ080xno
-inUI8O70X9KRNc9Ow+tOUwubcGMA91cZnSYgvBvH5V1Q4T7HoRuMdFGIvLDmlO+6
-MEFxiaECgYEAw7GqJYl2q6be56WANWA9ecNenr4+ekHZImpK0vb1bYD2LinfFNNK
-9jOHK2tK2jV3DgfUEieItz/uWV3iCJkIfErwu3ZS9qnDBu70OHGpsM1nXRUzZ0Ct
-5vOlBr5h6DMrP+ou/95yeraoibqs2kTUrAdkC80Yk5nbEHFDiD6cJcw=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
-MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
-5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
-h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
-Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
-aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
-iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
-7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
-OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
-KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
-GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
-LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
-KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
-iKMh
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArOUgQs1dyLP8OwiM3wV0Rr+rl8Mg4r0V12LHM3kkX+ZsP7JU
-VQBLTW1/K0PAViyKoiTwiw3pOTg5KiiPoQK2VaSajM2cqpdk3qLK7Z6JG4f8gPBF
-rRK9IyCNkcUNMW/K9uYfg8AaLADNeQdawgDJiTo2xDDARpgG+8uzdCvJ62fEXLcK
-0XQhlXIPn/ixa5JRdbQS7NMxiKybJNXgdF26wfnxD2q/S5p/v6tkBxjwrWjpUdmc
-UbI6rGCVvciPK99z1VZtmhpkv9fVILhBvBQt6MLndG6B3z/dfzb0iFn4T4iLgz4y
-TgTxCfyOjmI2F10LjmWMBRmrtlq6TQ0IqD4HnQIDAQABAoIBAG0+sa3EGdgxcdTT
-SD+7MIdroL7Z+rOKCnz32yp5BzTZYdi1k3fKIcqgv1PVEXjh2A8wDBWxCoavMd+j
-lW2FSzS+NzF00eMwmfnbHyIZpESTHkdSipQbXQsPDKTov7dXDgYHzi3vehoHv80T
-ipM+8BkXgXdh3nw8n10GjzN+X62v73pQxXooC2JrsxKPubB9NkX8UtcYddrmMQpr
-xOixBsk3VwkIh+3CatBPKJH/Ryk/U9rMU7F7KlAi+xHj3UF3iAvUwYVaJWAeWfci
-KP07cFxsar8Vgf2IK+sbZP6LPky1oiYq+VkIrgX6UPtyyrS60Bf7OFIy5I0Hmm8K
-b0rChbkCgYEA2B1IVtBmNBt/rCwqWgRLf4vW86JGgKAOx15hucPdA1NAHygNLdZC
-bcM6OkP1PEp1mpA0mDgYQQdggzsWKYuJjtf8MN9sZwi6SrRI2Y3OCy7SFLsyDNkz
-xkWo6b5/WGH+cEzVRVkD0RU97xjXudXzcwm1PA5goRcGNg1zdvOi0XsCgYEAzM3d
-tbq3txVh5EK3IeCsvtQGY4IFADdjaC2wgTeOlHo/nGoCB8TuFMN32MHqlmAdspJQ
-PojDKVZhhOknJQpBI1iYVYTJTIwtJM5CeY5gwhnrPVru4LJaa8zXTJdIeZ++nJFR
-Dawt5rsJ+f2yTzQWPm2Ywbril8KBVwqD4V9uQ8cCgYBk/foqJ6U7QIZ/TPxVqKAn
-cI/4tqK/xQxi+qYsi20i+qqCZNMT0oakiJETXWKi1CD1I+KQJ9advPbLHLeUnpKf
-4CsII8CivZ9g/bL1h6D79NtTuM8A1het1ivDX7Re9xxSGnWnvJtd/9E7hJ57R5JG
-9ghtkkJxxTKv28VTlzNFNQKBgDuQ4Jv7a3V3ZZpTARp8UyHJXvZQGY4/jcz+BOkA
-NJrgl2Gxv1dtImWtmEzV0Znc6KZIQch+VGzQb9qNSVJPkjRqjxvIXBfEaVjcGJ9s
-Fp49lZqpuPJnTT8vO6tOEMk2+eRlq3JTkqIZ4kPwUo0QtCuCCrzF0yOaca3UJBlH
-fTV/AoGAElXK1jYXzxJLTik9TW3Jl9w45GP572HAYVBc+gpCtvxVvr9V8qsiDST2
-hovbkEcG6o+rCAgHnzdCxpK0Avnb8yyu4yvBGTWowoBqF9Nyv2aZts83gRxEapZC
-Mc8u9QuIB0QCea13jgWWkkMLr9lt7kmVjR+Nch4lcF4RVqagEEE=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- strictcrlpolicy=no
- crlcheckinterval=180
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert-sha224.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
-MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
-7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
-hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
-P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
-N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
-KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
-WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
-Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
-DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
-pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
-NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
-Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
-JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
-NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAxD2FtbZnG5IDTHJzh1wCh5YC9pO69fq1Vif/DRfbyOzKUPKq
-Jhz1dxtNAmEkLAg4AVbyu9aWrIs/nbGHRwGNvIoW9pv5bGkqrsLG9BXsY4SYqmqI
-XCyZNDI0w1HQK4eonXbwwGDA5HwKTOPU2lzcXc9LH31eSjiB9Ia0HtMLMD9qf0h0
-wEzYd3m0y6/GO3TCnnMRaykLMGXPne4LyH7WV0b47FKa3O+3Q1ERgcj8Nzfv9t3I
-bg1zTWsTMpVkIZok1J3vLSMoNL7bq93aOQ6tSKkCqr8UnwY0S+mSVNP+pSroQoVd
-HElXdh9s86L7pHuV8x81LKBEll1mCvaiBI9h0QIDAQABAoIBAEnZeTMb9ItslG81
-dwKOfqk1q+HNUIN3GLzWimYL/3sKmUyDNcLoDPwIux9VHT6wzRq79Nb5d3RxZrxa
-bbUsAYHdWazun5vLq/Nee26pvW7qHGWtd6lwYytAZZjHdhabk7nGY+2Ru6WAhIPR
-DW4rmgZ3lya/kDdQMp+p/ajH9SLvYdo8rc3e2a5pJJitR3iU9rFO8PRSD6is7ldr
-FxYDMWv+Latkscpku4fww8X6XlHo3u7usogs5FHjNePeJjNkzdj5X958OmzxN4JJ
-jKheFALXJuMYY/9MLWaygkZgWuD1yr8chBtH+kxJLqbv9/pBaQqehEDfGOgfPnQi
-OxccUS0CgYEA4VL/hsJvhziqd+MHryrYvPQgHZJf+ksMpRelD/zEJRjAGnyT2hDQ
-R1H9jKP689E6lhCire9ag79rkF4lOvVWpM4f1XOPwX9Oap93dRn5PZLCMKfmnuo7
-RSC3qsGRdzIB0j0e9XQXW3tzoSVJtASd0X7qMTujaWQef7hNPW/To9MCgYEA3vTk
-YQGARsJIjvF1xu7ut1NC1GyQbvDShylmrOBPTBRgzIEjWnifDH79BAXr9yTigqR/
-qHZhWC0bPPY2x6iFi4dTa30vNGqP61GU4HouQDZ/Lf7TXL7pTHRSihL3x9f2nIu+
-nyEhfrYomt0M960OHS5izXP/27vXItLTazshMUsCgYEAn3lOwOH8bYf9nrxgQ+nf
-XFysHkHrDArx+Caz/Iy5hkfuLtDdFAmyX8f33AJzKv16qZs8iD5Poc9pIdSAJSpf
-GGWKwlf39stThMM4mPi5HoswRZ+P6gl9yX9OftxhSCtsfpAjyTVREr5dKEBr2a0q
-xYs91XqQPZdOvraCdGkhMWECgYEAiQFTlYimmtSoYa5fAW+xoVW4q3BLEOFLfWMj
-hPgRwl6DXSe94cpdcgBW2jIJXkV8K2uKRqr4BocxRbTG1MnpxmPSDytN5pfU+HWZ
-Vpe99BeI72q31zY5hpG0ZsRhHpzHHkuBR6fEPWkSapeLcGcXVTc736R4hT5YZT3I
-TQx4ySECgYEArIxFy2zEbQH8znJoRwshSSanGovSCRxpoP+j5WHlccMQAjDhoFMg
-KLCXbbnNyM4qlvwHG4Z27Fgexvk5dPHYnQlW9A4YP4o6SFf6RnxW1ZdR/Kc4aY/6
-rXxt+Q0rf4qRKbTh90yDnc2YQj11g9BgvFliIM2GOTq8NUtjQVRgNm4=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/private/*
-dave::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/certs/*
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
+++ /dev/null
-Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with
-swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- right=PH_IP_CAROL
- rightsourceip=PH_IP_CAROL1
- rightcert=carolCert.pem
- rightid=carol@strongswan.org
- rightfirewall=yes
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn rw
- right=PH_IP_MOON
- rightsourceip=PH_IP_MOON1
- rightcert=moonCert.pem
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightfirewall=yes
- leftsubnetwithin=10.3.0.0/16
- left=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b>
-and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP
-of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b>
-the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec
-tunnel.
+++ /dev/null
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=PH_IP_CAROL1
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn rw
- left=PH_IP_MOON
- leftsourceip=PH_IP_MOON1
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- rightsubnetwithin=10.3.0.0/16
- right=%any
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of wildcard parameters that must match the subject
-<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to
-<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b>
-can only be reached with a DN containing OU=Accounting. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
+++ /dev/null
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
-
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
-
-conn alice
- rightsubnet=PH_IP_ALICE/32
- auto=add
-
-conn venus
- rightsubnet=PH_IP_VENUS/32
- auto=add
-
-
-
-
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
-
-conn alice
- leftsubnet=PH_IP_ALICE/32
- right=%any
- rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
- auto=add
-
-conn venus
- leftsubnet=PH_IP_VENUS/32
- right=%any
- rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
- auto=add
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+++ /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic
-by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is
-<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network
-is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from
-<b>alice</b> to <b>venus</b> tunneled via <b>moon</b> and to both the internal
-and external interface of gateway <b>moon</b>. Access to the gateway is
-set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>.
-At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router.
-<p>
-The host system controls the UML instances <b>alice</b> and <b>carol</b> via
-ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up
-the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel
-to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted
-to the ssh port is statically set up by <b>conn system</b>.
-
+++ /dev/null
-alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-moon::tcpdump::ESP::YES
-sun::tcpdump::ICMP::YES
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn system
- left=PH_IP_ALICE
- leftprotoport=tcp/ssh
- authby=never
- type=passthrough
- right=10.1.0.254
- rightprotoport=tcp
- auto=route
-
-conn wlan
- left=PH_IP_ALICE
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON1
- rightid=@moon.strongswan.org
- rightsubnet=0.0.0.0/0
- auto=add
-
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # enable IP forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth1 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- # enable SNAT
- iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON
- iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn alice
- right=PH_IP_ALICE
- rightid=alice@strongswan.org
- also=wlan
- auto=add
-
-conn venus
- right=PH_IP_VENUS
- rightid=@venus.strongswan.org
- also=wlan
- auto=add
-
-conn wlan
- left=PH_IP_MOON1
- leftsubnet=0.0.0.0/0
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- lefthostaccess=yes
-
+++ /dev/null
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
- before net
- need logger
-}
-
-start() {
- ebegin "Starting firewall"
-
- # default policy is DROP
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT DROP
- /sbin/iptables -P FORWARD DROP
-
- # allow esp
- iptables -A INPUT -i eth0 -p 50 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
- # allow IKE
- iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
- iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
- # allow crl fetch from winnetou
- iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
- # allow ssh
- iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
- eend $?
-}
-
-stop() {
- ebegin "Stopping firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
-
- if [ $a == nat ]; then
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- elif [ $a == mangle ]; then
- /sbin/iptables -t mangle -P PREROUTING ACCEPT
- /sbin/iptables -t mangle -P INPUT ACCEPT
- /sbin/iptables -t mangle -P FORWARD ACCEPT
- /sbin/iptables -t mangle -P OUTPUT ACCEPT
- /sbin/iptables -t mangle -P POSTROUTING ACCEPT
- elif [ $a == filter ]; then
- /sbin/iptables -t filter -P INPUT ACCEPT
- /sbin/iptables -t filter -P FORWARD ACCEPT
- /sbin/iptables -t filter -P OUTPUT ACCEPT
- fi
- done
- eend $?
-}
-
-reload() {
- ebegin "Flushing firewall"
- for a in `cat /proc/net/ip_tables_names`; do
- /sbin/iptables -F -t $a
- /sbin/iptables -X -t $a
- done;
- eend $?
- start
-}
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- nat_traversal=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
-
-conn system
- left=PH_IP_VENUS
- leftprotoport=tcp/ssh
- authby=never
- type=passthrough
- right=10.1.0.254
- rightprotoport=tcp
- auto=route
-
-conn wlan
- left=PH_IP_VENUS
- leftcert=venusCert.pem
- leftid=@venus.strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON1
- rightid=@moon.strongswan.org
- rightsubnet=0.0.0.0/0
- auto=add
-
+++ /dev/null
-moon::iptables -t nat -v -n -L POSTROUTING
-moon::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-moon::conntrack -F
+++ /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-alice::ipsec start
-venus::ipsec start
-alice::sleep 2
-alice::ipsec up wlan
-venus::sleep 2
-venus::ipsec up wlan
-venus::sleep 2
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon:eth1 sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus moon"
The authentication is based on Pre-Shared Keys (<b>PSK</b>)
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b>
+<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%config</b>
parameter. The virtual IP addresses are registered under the users' XAUTH identity.
<p>
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn home
left=PH_IP_CAROL
+ leftid=PH_IP_CAROL
+ leftsourceip=%config
leftfirewall=yes
right=PH_IP_MOON
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
xauth_identity=carol
auto=add
--- /dev/null
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+@sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
+
+carol : XAUTH "4iChxLT3"
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn home
left=PH_IP_DAVE
+ leftid=PH_IP_DAVE
+ leftsourceip=%config
leftfirewall=yes
right=PH_IP_MOON
+ rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
xauth_identity=dave
auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
dns1 = 192.168.0.150
dns2 = 10.1.0.20
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
+++ /dev/null
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::ipsec leases rw 10.3.0.1::carol::YES
-moon::ipsec leases rw 10.3.0.2::dave::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthpsk
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftsourceip=%modeconfig
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- xauth_identity=carol
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
-
-carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
-
-carol : XAUTH "4iChxLT3"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthpsk
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftsourceip=%modeconfig
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- xauth_identity=dave
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
+++ /dev/null
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-dave : XAUTH "ryftzG4A"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthpsk
- xauth=server
-
-conn rw
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3"
-
-dave : XAUTH "ryftzG4A"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid=moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
leftid=dave@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
- rightid=moon.strongswan.org
rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
auto=add
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn rw
left=PH_IP_MOON
- leftid=moon.strongswan.org
+ leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a
<b>virtual IP</b> via the IKE Mode Config protocol by using the
-<b>leftsourceip=%modeconfig</b> parameter.
+<b>leftsourceip=%config</b> parameter.
<p>
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
--- /dev/null
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
conn home
left=PH_IP_CAROL
+ leftsourceip=%config
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
- plutodebug=control
+ plutostart=no
conn %default
ikelifetime=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- modeconfig=push
+ authby=xauthrsasig
conn home
left=PH_IP_DAVE
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug="control"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
rightsourceip=PH_IP_CAROL1
conn rw-dave
- rightid=dave@strongswan.org
- rightsourceip=PH_IP_DAVE1
+ rightid=dave@strongswan.org
+ rightsourceip=PH_IP_DAVE1
+
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
# UML instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS="moon"
# UML instances on which IPsec is started
# Used for IPsec logging purposes
+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> presents a wrong
-XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted.
+++ /dev/null
-carol::cat /var/log/auth.log::extended authentication failed::YES
-moon::cat /var/log/auth.log::extended authentication failed::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
-
-carol@strongswan.org : XAUTH "4iChxLT8"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthrsasig
- xauth=server
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : XAUTH "4iChxLT3"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
+++ /dev/null
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
-moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthrsasig
-
-conn home
- left=PH_IP_CAROL
- leftsourceip=%modeconfig
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthrsasig
-
-conn home
- left=PH_IP_DAVE
- leftsourceip=%modeconfig
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
+++ /dev/null
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> cannot find her
-XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the
-ISAKMP SA is deleted.
+++ /dev/null
-carol::cat /var/log/auth.log::xauth user credentials not found::YES
-moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control controlmore"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthrsasig
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightsubnet=10.1.0.0/16
- rightid=@moon.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- plutodebug="control controlmore"
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- authby=xauthrsasig
- xauth=server
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : XAUTH "4iChxLT3"
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
+++ /dev/null
-moon::ipsec stop
-carol::ipsec stop
+++ /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 1
+++ /dev/null
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- crlcheckinterval=180
- strictcrlpolicy=no
- charonstart=no
+ plutostart=no
conn %default
ikelifetime=60m
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
}
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
projects / thirdparty / strongswan.git / commitdiff
