From: Andreas Steffen Date: Sun, 14 Apr 2013 17:57:49 +0000 (+0200) Subject: Added charon.initiator_only option which causes charon to ignore IKE initiation reque... X-Git-Tag: 5.0.4~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=654c88bca8e268e7cd86483388439f033c68574f;p=thirdparty%2Fstrongswan.git Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers --- diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index d483addbd5..9d18659a79 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING). Limit new connections based on the number of jobs currently queued for processing (see IKE_SA_INIT DROPPING). .TP +.BR charon.initiator_only " [no]" +Causes charon daemon to ignore IKE initiation requests. +.TP .BR charon.install_routes " [yes]" Install routes into a separate routing table for established IPsec tunnels .TP diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 6b2c2bf5b6..2ca721a856 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -148,6 +148,12 @@ struct private_receiver_t { * Delay response messages? */ bool receive_delay_response; + + /** + * Endpoint is allowed to act as an initiator only + */ + bool initiator_only; + }; /** @@ -541,7 +547,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) { - if (drop_ike_sa_init(this, message)) + if (this->initiator_only || drop_ike_sa_init(this, message)) { message->destroy(message); return JOB_REQUEUE_DIRECT; @@ -552,7 +558,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) { id = message->get_ike_sa_id(message); if (id->get_responder_spi(id) == 0 && - drop_ike_sa_init(this, message)) + (this->initiator_only || drop_ike_sa_init(this, message))) { message->destroy(message); return JOB_REQUEUE_DIRECT; @@ -650,6 +656,8 @@ receiver_t *receiver_create() "%s.receive_delay_request", TRUE, charon->name), this->receive_delay_response = lib->settings->get_bool(lib->settings, "%s.receive_delay_response", TRUE, charon->name), + this->initiator_only = lib->settings->get_bool(lib->settings, + "%s.initiator_only", FALSE, charon->name), this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (!this->hasher) diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt new file mode 100644 index 0000000000..4780041626 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior dave tries to set up a connection to roadwarrior carol +but because carol has set the strongswan.conf option initiator_only = yes +she ignores the repeated IKE requests sent by dave. +

+After the failed connection attempt by dave, roadwarrior carol sets up a +connection to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol pings the client alice behind +the gateway moon. diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat new file mode 100644 index 0000000000..80fd7c5be6 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 0000000000..58914391c9 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..dc900c4f2d --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 0000000000..b262ecbeae --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9251921ff3 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..4c5df88257 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..7f31b170b9 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat new file mode 100644 index 0000000000..fc7173430b --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt new file mode 100644 index 0000000000..4780041626 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior dave tries to set up a connection to roadwarrior carol +but because carol has set the strongswan.conf option initiator_only = yes +she ignores the repeated IKE requests sent by dave. +

+After the failed connection attempt by dave, roadwarrior carol sets up a +connection to gateway moon. The authentication is based on X.509 certificates. +Upon the successful establishment of the IPsec tunnels, leftfirewall=yes +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol pings the client alice behind +the gateway moon. diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat new file mode 100644 index 0000000000..80fd7c5be6 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 0000000000..dd2ceea604 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..dc900c4f2d --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 0000000000..b417977c95 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..9251921ff3 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 0000000000..b82a44ad83 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..7f31b170b9 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat new file mode 100644 index 0000000000..1865a1c60e --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat new file mode 100644 index 0000000000..fc7173430b --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf new file mode 100644 index 0000000000..f292988506 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave"