carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
moon::expect-connection rw-allow
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS=
-
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
}
post-auth {
+ if (control:TNC-Status == "Access") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "allow"
+ }
+ }
+ elsif (control:TNC-Status == "Isolate") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "isolate"
+ }
+ }
+
Post-Auth-Type REJECT {
attr_filter.access_reject
}
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
- debug_level = 3
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
+ debug_level = 3
assessment_result = no
plugins {
- imv-scanner {
- closed_port_policy = no
- tcp_ports = 80 443
- }
+ imv-test {
+ rounds = 1
+ }
}
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
libimcv {
plugins {
+ imc-test {
+ command = none
+ }
imc-scanner {
push_info = no
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
+ filter_id = yes
}
}
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
}
}
-}
-
-libimcv {
plugins {
- imc-test {
- command = allow
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
-
retransmit_tries = 5
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
}
}
-}
-
-libimcv {
plugins {
- imc-test {
- command = allow
- }
- imc-scanner {
- push_info = no
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
filter_id = yes
}
}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
alice::ipsec attest --sessions
alice::ipsec attest --devices
# Guest instances on which databases are used
#
DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
filter_id = yes
}
}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {
--- /dev/null
+# The strongSwan IMCs are loaded by the WPA supplicant
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {
--- /dev/null
+# The strongSwan IMCs are loaded by the WPA supplicant
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
- multiple_authentication=no
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = PH_IP_ALICE
- filter_id = yes
- }
- }
-}
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru, fr, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-scanner {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
-libimcv {
- plugins {
- imv-scanner {
- closed_port_policy = yes
- tcp_ports = 22
- udp_ports = 500 4500
- }
- }
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru , de, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnccs-20 {
tests {
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru, pl , de
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-carol::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.rules
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::cat /etc/tnc/dummyimv.policy
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
moon::expect-connection rw-allow
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imv 3"
-
-conn aaa
- leftcert=aaaCert.pem
- leftid=aaa.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
request_peer_auth = yes
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 3
+ }
+ }
plugins {
eap-ttls {
max_message_count = 0
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
os_info {
name = strongPrint OS
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftauth=eap
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 3
+ }
+ }
plugins {
eap-ttls {
max_message_count = 0
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
os_info {
name = strongPrint OS
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightsendcert=never
- right=%any
- eap_identity=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
+alice::service charon stop
+alice::rm /etc/swanctl/rsa/aaaKey.pem
+alice::rm /etc/swanctl/x509/aaaCert.pem
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::cat /etc/tnc_config
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-alice::ipsec start
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::service charon start
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::ping -c 1 192.168.0.2::64 bytes from 192.168.0.2: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 2, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=moon.strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_SUN
- rightid=sun.strongswan.org
- rightsendcert=never
- rightauth=any
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+ load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 2
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
- phase2_tnc =yes
+ phase2_tnc = yes
}
tnccs-20 {
mutual = yes
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ mutual {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = eap-ttls
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = sun.strongswan.org
+ }
+ children {
+ mutual {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 2, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP_SUN
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- rightauth=eap-ttls
- rightsendcert=never
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+ load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
- multiple_authentication = no
+ multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 2
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
request_peer_auth = yes
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ mutual {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ mutual {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ mobike = no
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop
+sun::service charon stop
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection host-host
-moon::ipsec up host-host
+moon::service charon start
+sun::service charon start
+moon::expect-connection mutual
+moon::swanctl --initiate --child mutual
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-/* configuration is read from /etc/pts/options */
--connect sun.strongswan.org
--client moon.strongswan.org
---key /etc/ipsec.d/private/moonKey.pem
---cert /etc/ipsec.d/certs/moonCert.pem
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--key /etc/swanctl/rsa/moonKey.pem
+--cert /etc/swanctl/x509/moonCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
--mutual
--quiet
--debug 2
# /etc/strongswan.conf - strongSwan configuration file
pt-tls-client {
- load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20
+ load = random nonce x509 openssl pem pkcs1 revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20
+}
+
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+# the PT-TLS client reads its configuration and secrets via the command line
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 2, imv 2"
-
-conn pdp
- leftcert=sunCert.pem
- leftid=sun.strongswan.org
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20
+ load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 2
+ imv = 2
+ }
+ }
plugins {
tnc-pdp {
server = sun.strongswan.org
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
-sun::ipsec stop
+sun::service charon stop
-sun::ipsec start
+sun::service charon start
moon::cat /etc/pts/options
-sun::expect-connection pdp
+moon::sleep 1
moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
-
retransmit_tries = 5
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-os {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ pts = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
moon::ipsec attest --sessions
moon::ipsec attest --devices
# Guest instances on which databases are used
#
DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de
}
}
+ilibtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-os {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
-moon::ipsec attest --packages --product 'Debian 7.4 x86_64'
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/nullmoon::ipsec attest --packages --product 'Debian 7.9 x86_64'
moon::ipsec attest --sessions
moon::ipsec attest --devices
# Guest instances on which databases are used
#
-DBHOSTS="moon"
\ No newline at end of file
+DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and ... SWID tags::YES
alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=192.168.0.200 remote-eap-id=dave.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imv 3"
-
-conn aaa
- leftcert=aaaCert.pem
- leftid=aaa.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
--- /dev/null
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- eap_identity=carol
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- retransmit_timeout =
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 3
+ }
+ }
plugins {
eap-ttls {
max_message_count = 0
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ eap_id = carol
+ aaa_id = aaa.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- eap_identity=dave
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- retransmit_timeout =
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 3
+ }
+ }
plugins {
eap-ttls {
max_message_count = 0
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-os {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ eap_id = dave
+ aaa_id = aaa.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightsendcert=never
- right=%any
- eap_identity=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ eap_id = %any
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::ipsec stop
+moon::service charon stop
+carol::service charon stop
+dave::service charon stop
+alice::service charon stop
alice::service apache2 stop
+alice::rm /etc/swanctl/x509/aaaCert.pem
+alice::rm /etc/swanctl/rsa/aaaKey.pem
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+carol::rm /etc/swanctl/x509/carolCert.pem
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/x509/daveCert.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
alice::service apache2 start
-alice::ipsec start
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+alice::service charon start
+moon::service charon start
+dave::service charon start
+carol::service charon start
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
carol::sleep 1
#
DBHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tls 2, tnc 2, imv 3"
-
-conn aaa
- leftcert=aaaCert.pem
- leftid=aaa.strongswan.org
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 nonce x509 openssl curl revocation constraints socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tls = 2
+ tnc = 2
+ imv = 3
+ }
+ }
plugins {
tnc-pdp {
server = aaa.strongswan.org
--- /dev/null
+secrets {
+
+ eap-carol {
+ id = carol
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
--connect aaa.strongswan.org
--client carol
--secret "Ar3etTnp"
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
--quiet
--debug 2
--- /dev/null
+# the PT-TLS client reads its configuration and secrets via the command line
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
--connect aaa.strongswan.org
--client dave@strongswan.org
---key /etc/ipsec.d/private/daveKey.pem
---cert /etc/ipsec.d/certs/daveCert.pem
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--key /etc/swanctl/rsa/daveKey.pem
+--cert /etc/swanctl/x509/daveCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
--quiet
--debug 2
--- /dev/null
+# the PT-TLS client reads its configuration and secrets via the command line
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# this file is not used in this scenario
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# this file is not used in this scenario
--- /dev/null
+# this file is not used in this scenario
carol::ip route del 10.1.0.0/16 via 192.168.0.1
dave::ip route del 10.1.0.0/16 via 192.168.0.1
winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
-alice::ipsec stop
+alice::service charon stop
alice::service apache2 stop
alice::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
alice::service apache2 start
-alice::ipsec start
+alice::service charon start
alice::expect-connection aaa
winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
dave::ip route add 10.1.0.0/16 via 192.168.0.1
# Guest instances on which databases are used
#
DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- retransmit_timeout =
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-os {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ pts = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+dave::service charon start
+carol::service charon start
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
moon::ipsec attest --sessions
moon::ipsec attest --devices
#
DBHOSTS="moon"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
- retransmit_timeout =
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ pts = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-os {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-
- retransmit_timeout =
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ pts = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
database = sqlite:///etc/db.d/config.db
policy_script = ipsec imv_policy_manager
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+dave::service charon start
+carol::service charon start
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
moon::ipsec attest --sessions
moon::ipsec attest --devices
#
DBHOSTS="moon"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru , de, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ certs = carolCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ certs =daveCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid="C=CH, O=Linux strongSwan, OU=*, CN=*"
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 2
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
request_peer_auth = yes
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru, pl , de
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
moon:: cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
integrity_test = yes
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
+ilibtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
integrity_test = yes
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
multiple_authentication=no
integrity_test = yes
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
