ECP_256_BP, respectively in a first round, followed by a Quantum-Save Key Exchange with the
lattice-based QSKE_NEWHOPE_L1 and isogeny-based QSKE_SIKE_L1 mechanisms, respectively.
<p>
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
-The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
-increasing order.
+The first CHILD_SA net1 is for the remote subnet 10.1.0.0/28. A second CHILD_SA net2 for the
+remote subnet 10.1.0.16/28 is established using the QSKE mechanisms QSKE_KYBER_L1 and QSKE_FRODO_AES_L1
+by <b>carol</b> and <b>dave</b>, respectively.
\ No newline at end of file
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*local-vips=\[10.3.0.1] child-sas.*net1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/28].*net2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=CURVE_25519.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.16/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*local-vips=\[10.3.0.2] child-sas.*net1.*state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/28].*net2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=ECP_256_BP.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 qske-mechanism=QSKE_NEWHOPE_L1.*remote-vips=\[10.3.0.1] child-sas.*net1.*reqid=1 state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/28] remote-ts=\[10.3.0.1/32].*net2.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=CURVE_25519.*local-ts=\[10.1.0.16/28] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256_BP qske-mechanism=QSKE_SIKE_L1.*remote-vips=\[10.3.0.2] child-sas.*net1.*reqid=3 state=INSTALLED mode=TUNNEL.*protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/28] remote-ts=\[10.3.0.2/32].*net2.*reqid=4 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=256 dh-group=ECP_256_BP.*local-ts=\[10.1.0.16/28] remote-ts=\[10.3.0.2/32]::YES
alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
+venus::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES
+venus::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
id = moon.strongswan.org
}
children {
- home {
- remote_ts = 10.1.0.0/16
-
+ net1 {
+ remote_ts = 10.1.0.0/28
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm128-x25519-qskenewhope1
+ }
+ net2 {
+ remote_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes256gcm128
+ esp_proposals = aes256gcm128-x25519-qskekyber1
}
}
version = 2
id = moon.strongswan.org
}
children {
- home {
- remote_ts = 10.1.0.0/16
-
+ net1 {
+ remote_ts = 10.1.0.0/28
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm128-ecp256bp-qskesike1
+ }
+ net2 {
+ remote_ts = 10.1.0.16/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes256gcm128
+ esp_proposals = aes256gcm128-ecp256bp-qskefrodoa1
}
}
version = 2
auth = pubkey
}
children {
- net {
- local_ts = 10.1.0.0/16
+ net1 {
+ local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes256gcm128
+ esp_proposals = aes256gcm128-x25519-ecp256bp-qskenewhope1-qskesike1
+ }
+ net2 {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes256gcm128-x25519-ecp256bp-qskekyber1-qskefrodoa1
}
}
version = 2
dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::swanctl --initiate --child home 2> /dev/null
+carol::swanctl --initiate --child net1 2> /dev/null
+carol::swanctl --initiate --child net2 2> /dev/null
dave::expect-connection home
-dave::swanctl --initiate --child home 2> /dev/null
+dave::swanctl --initiate --child net1 2> /dev/null
+dave::swanctl --initiate --child net2 2> /dev/null
projects / thirdparty / strongswan.git / commitdiff
