+++ /dev/null
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
-sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn nat-t
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=192.168.0.2
- rightid=@sun.strongswan.org
- type=transport
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- left=192.168.0.2
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftfirewall=yes
-
-conn nat-t
- right=%any
- type=transport
- auto=add
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b> and gateway <b>sun</b>
-is successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
-rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+is successfully set up. The updown script automatically inserts iptables-based firewall
+rules that let pass the protected traffic. In order to test the host-to-host tunnel
<b>alice</b> pings <b>sun</b>.<br/>
<b>Note:</b> This scenario also demonstrates two problems with transport-mode and NAT traversal:
<ol>
--- /dev/null
+alice::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+# this won't work due to the IPsec policy on sun for the NAT's public IP
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::expect-connection host-host
+venus::swanctl --initiate --child host-host 2> /dev/null
+venus::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=.* remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+# now traffic goes via the newer SA between sun and venus
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ host-host {
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ host-host {
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
--- /dev/null
+connections {
+
+ host-host {
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
-alice::ipsec stop
-venus::ipsec stop
-sun::ipsec stop
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+sun::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-sun::expect-connection nat-t
-alice::expect-connection nat-t
-alice::ipsec up nat-t
-venus::expect-connection nat-t
-venus::ipsec up nat-t
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
+sun::expect-connection host-host
+alice::expect-connection host-host
+alice::swanctl --initiate --child host-host 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
