--- /dev/null
+An ESP tunnel mode connection between the hosts <b>moon</b> and <b>sun</b> is
+set up for Cryptographically Generated Addresses (RFC 3972). While the peers
+communicate over ordinary IPv4 addresses, they exchange traffic selectors based
+on inner IPv6 CGA addresses.
+</p>
+<p>To establish trust in CGA addresses, the CGA plugin <i>trust</i> option is
+set in <i>strongswan.conf</i>. To recognize the private use CGA parameters
+certificate exchange, the peers exchange strongSwan vendor ID payloads.
+</p>
+<p>As the peers do not know the inner IPv6 CGA address of each other, they use
+the <i>narrowid</i> plugin. The plugin futher narrows the allowed prefix to
+the CGA each peer successfully authenticated. To enable narrowing for the
+connection, the <i>configs</i> option is set accordingly in
+<i>strongswan.conf</i>.
--- /dev/null
+moon:: ipsec status 2> /dev/null::cga-tunnel.*ESTABLISHED::YES
+sun:: ipsec status 2> /dev/null::cga-tunnel.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::cga-tunnel.*INSTALLED::YES
+sun:: ipsec status 2> /dev/null::cga-tunnel.*INSTALLED::YES
+moon::ping6 -c 1 fec2:\:3840:e1ae:500c:c55f::64 bytes from fec2:\:3840:e1ae:500c:c55f: icmp_seq=1::YES
+sun::tcpdump::IP6 fec1:\:2c1d:3461:a532:ba48 > fec2:\:3840:e1ae:500c:c55f: ESP::YES
+sun::tcpdump::IP6 fec2:\:3840:e1ae:500c:c55f > fec1:\:2c1d:3461:a532:ba48: ESP::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn cga-tunnel
+ leftcert=cga:moon.cga
+ left=PH_IP_MOON
+ leftid=fec1::2c1d:3461:a532:ba48
+ leftsubnet=fec1::2c1d:3461:a532:ba48
+ right=PH_IP_SUN
+ rightid=%any
+ rightsubnet=fec2::/64
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga narrowid stroke kernel-netlink socket-default updown
+
+ send_vendor_id = yes
+
+ plugins {
+ cga {
+ trust = yes
+ }
+ narrowid {
+ configs = cga-tunnel
+ }
+ }
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn cga-tunnel
+ leftcert=cga:sun.cga
+ left=PH_IP_SUN
+ leftid=fec2::3840:e1ae:500c:c55f
+ leftsubnet=fec2::3840:e1ae:500c:c55f
+ right=PH_IP_MOON
+ rightid=%any
+ rightsubnet=fec1::/64
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac cga narrowid stroke kernel-netlink socket-default updown
+
+ send_vendor_id = yes
+
+ plugins {
+ cga {
+ trust = yes
+ }
+ narrowid {
+ configs = cga-tunnel
+ }
+ }
+ syslog {
+ daemon {
+ knl = 2
+ }
+ }
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::"ip addr del fec1:\:2c1d:3461:a532:ba48 dev eth1"
+sun::"ip addr del fec2:\:3840:e1ae:500c:c55f dev eth1"
--- /dev/null
+moon::"ip addr add fec1:\:2c1d:3461:a532:ba48 dev eth1"
+sun::"ip addr add fec2:\:3840:e1ae:500c:c55f dev eth1"
+moon::ipsec start
+sun::ipsec start
+moon::expect-connection cga-tunnel
+sun::expect-connection cga-tunnel
+moon::ipsec up cga-tunnel
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
projects / thirdparty / strongswan.git / commitdiff
