-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
-moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
-moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
-moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
moon:: ip xfrm state::proto comp spi::YES
carol::ip xfrm state::proto comp spi::YES
# send two pings because the first is lost due to Path MTU Discovery between alice and moon
carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES
# reduce the size as the default is already larger than the threshold of 90 bytes
carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*cpi-in.*cpi-out.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- compress=yes
- leftfirewall=yes
-
-conn home
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- right=PH_IP6_MOON
- rightsubnet=fec1::/16
- rightid=@moon.strongswan.org
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ syslog {
+ daemon {
+ default = 1
+ }
+ auth {
+ default = 0
+ }
+ }
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = fec0::10
+ remote_addrs = fec0::1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = fec1::0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128-sha256-x25519
+ ipcomp = yes
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+ strongswan {
+ cacert = strongswanCert.pem
+ crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
- cacert=strongswanCert.pem
- crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- compress=yes
- leftfirewall=yes
-
-conn rw
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=fec1::/16
- right=%any
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ syslog {
+ daemon {
+ default = 1
+ }
+ auth {
+ default = 0
+ }
+ }
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = fec0::1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = fec1::0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128-sha256-x25519
+ ipcomp = yes
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+ strongswan {
+ cacert = strongswanCert.pem
+ crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
+moon::systemctl stop strongswan-swanctl
+carol::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
moon::ip6tables-restore < /etc/ip6tables.flush
moon::ip6tables -I OUTPUT 1 -o eth1 -p icmpv6 --icmpv6-type 2 -j ACCEPT
alice::"ip route add fec0:\:/16 via fec1:\:1"
carol::"ip route add fec1:\:/16 via fec0:\:1"
-moon::ipsec start
-carol::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
# IP protocol used by IPsec is IPv6
#
IPV6=1
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
