pem \
socket-default \
openssl \
- stroke
+ vici
all: build_charon
#! /bin/sh
### BEGIN INIT INFO
-# Provides: charon
+# Provides: charon-tkm
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
-# Short-Description: strongSwan charon IKE daemon
-# Description: with swanctl the strongSwan charon daemon must be
+# Short-Description: strongSwan charon-tkm IKE daemon
+# Description: with swanctl the strongSwan charon-tkm daemon must be
# running in the background
### END INIT INFO
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="strongSwan charon IKE daemon"
-NAME=charon
+DESC="strongSwan charon-tkm IKE daemon"
+NAME=charon-tkm
DAEMON=/usr/local/libexec/ipsec/$NAME
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/charon
+SCRIPTNAME=/etc/init.d/charon-tkm
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
PKG = tkm
SRC = https://git.codelabs.ch/git/$(PKG).git
-REV = 8184cc0976a5b00c9d042bef2032223ae261f948
+REV = b99aeb158b7701ea4a77184bff5ff38f8e26013a
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
-moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO
+moon::swanctl --terminate --ike conn1 && sleep 1::no output expected::NO
moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
sun::expect-connection host-host
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-moon::DAEMON_NAME=charon-tkm ipsec up conn1
+moon::expect-connection conn1
+moon::swanctl --initiate --child conn1 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- auto=add
- type=transport
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
sun::expect-connection host-host
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-sun::ipsec up host-host
+moon::expect-connection conn1
+sun::swanctl --initiate --child host-host 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall xfrm_proxy
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
moon::expect-file /tmp/tkm.rpc.ees
moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
-sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
-carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
-dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
-carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.100/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.2/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.2/32]::YES
carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
-sun::cat /tmp/tkm.log | grep "Certificate chain of CC context 1 is valid" | wc -l::2::YES
+sun::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2
sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
sun::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn host-host
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP_SUN
- rightid=sun.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_SUN
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn host-host
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- right=PH_IP_SUN
- rightid=sun.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_DAVE
+ remote_addrs = PH_IP_SUN
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
-sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::service charon-tkm stop
sun::killall tkm_keymanager
sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
-sun::rm /etc/ipsec.secrets
-sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-sun::cat /etc/ipsec.conf
+sun::rm /etc/swanctl/rsa/*
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/swanctl/swanctl.conf
sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
sun::expect-file /tmp/tkm.rpc.ike
-sun::DAEMON_NAME=charon-tkm ipsec start
-carol::ipsec start
+sun::service charon-tkm start
+carol::systemctl start strongswan
carol::expect-connection host-host
-dave::ipsec start
+dave::systemctl start strongswan
dave::expect-connection host-host
-sun::DAEMON_NAME=charon-tkm expect-connection conn1
-sun::DAEMON_NAME=charon-tkm expect-connection conn2
-carol::ipsec up host-host
-dave::ipsec up host-host
+sun::expect-connection conn1
+sun::expect-connection conn2
+carol::swanctl --initiate --child host-host 2> /dev/null
+dave::swanctl --initiate --child host-host 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="carol dave sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
-sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- leftsubnet=10.2.0.0/16
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- rightsubnet=10.1.0.0/16
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ net-net {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
-sun::ipsec start
+moon::service charon-tkm start
+sun::systemctl start strongswan
sun::expect-connection net-net
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
-moon::DAEMON_NAME=charon-tkm ipsec up conn1
+moon::expect-connection conn1
+moon::swanctl --initiate --child conn1 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
-sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- mobike=no
-
-conn net-net
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- leftsubnet=10.2.0.0/16
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- rightsubnet=10.1.0.0/16
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
- multiple_authentication = no
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ net-net {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
+moon::killall xfrm_proxy
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
moon::expect-file /tmp/tkm.rpc.ees
moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
sun::expect-connection net-net
-alice::ping -c 3 PH_IP_BOB
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::sleep 2::wait for rekeying::NO
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::sleep 3::wait for rekeying::NO
moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]::2
moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall xfrm_proxy
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
moon::expect-file /tmp/tkm.rpc.ees
moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
-moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
-sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::sleep 2::wait for rekeying::NO
+moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::sleep 3::wait for rekeying::NO
sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator FALSE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::2
moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
fingerprint = CA_SPK_HEX
}
}
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=10s
- rekeymargin=6s
- rekeyfuzz=0%
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- ike=aes256-sha512-modp4096!
- esp=aes256-sha512-modp4096!
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 gmp x509 revocation random
+}
+
+charon-systemd {
+ load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_SUN
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ life_time=10s
+ rekey_time=4s
+ rand_time=0
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
-moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::service charon-tkm stop
moon::killall xfrm_proxy
moon::killall tkm_keymanager
moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
-sun::ipsec stop
+sun::systemctl stop strongswan
-sun::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
-moon::cat /etc/ipsec.conf
+sun::systemctl start strongswan
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 &
moon::expect-file /tmp/tkm.rpc.ike
-moon::DAEMON_NAME=charon-tkm ipsec start
+moon::service charon-tkm start
moon::expect-file /tmp/tkm.rpc.ees
moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
-moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::expect-connection conn1
sun::expect-connection host-host
-moon::ping -c 3 192.168.0.2
+moon::ping -c 3 -W 1 -i 0.2 192.168.0.2
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
