-An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
-The authentication is based on X.509 certificates. Upon the successful establishment of
-the IPsec SA, <b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall
-rules that let pass the protected traffic. In order to test both the transport connection
-and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command.
+An IPv6 ESP transport connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. The authentication is based on X.509 certificates. Upon the
+successful establishment of the IPsec SA, automatically inserted ip6tables-based
+firewall rules let pass the protected traffic. In order to test both the transport
+connection and the firewall rules, <b>moon</b> sends an IPv6 ICMP request to
+<b>sun</b> using the ping6 command.
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
moon::ip xfrm state::mode transport::YES
sun:: ip xfrm state::mode transport::YES
moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]::YES
+sun ::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]::YES
sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
- cacert=strongswanCert.pem
- certuribase=http://ip6-winnetou.strongswan.org/certs/
- crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- mobike=no
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP6_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftfirewall=yes
- right=PH_IP6_SUN
- rightid=@sun.strongswan.org
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- hash_and_url = yes
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ syslog {
+ daemon {
+ default = 1
+ }
+ auth {
+ default = 0
+ }
+ }
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = fec0::1
+ remote_addrs = fec0::2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128-sha256-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+ strongswan {
+ cacert = strongswanCert.pem
+ crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-ca strongswan
- cacert=strongswanCert.pem
- certuribase=http://ip6-winnetou.strongswan.org/certs/
- crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
- auto=add
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- mobike=no
- keyexchange=ikev2
-
-conn host-host
- left=PH_IP6_SUN
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftfirewall=yes
- right=PH_IP6_MOON
- rightid=@moon.strongswan.org
- type=transport
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
-charon {
- hash_and_url = yes
- load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+ syslog {
+ daemon {
+ default = 1
+ }
+ auth {
+ default = 0
+ }
+ }
}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = fec0::2
+ remote_addrs = fec0::1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128-sha256-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+ strongswan {
+ cacert = strongswanCert.pem
+ crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
+ }
+}
-moon::ipsec stop
-sun::ipsec stop
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::ip6tables-restore < /etc/ip6tables.flush
sun::iptables-restore < /etc/iptables.drop
moon::ip6tables-restore < /etc/ip6tables.rules
sun::ip6tables-restore < /etc/ip6tables.rules
-moon::ipsec start
-sun::ipsec start
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
moon::expect-connection host-host
sun::expect-connection host-host
-moon::ipsec up host-host
+moon::swanctl --initiate --child host-host
# All guest instances that are required for this test
#
VIRTHOSTS="moon winnetou sun"
-
+
# Corresponding block diagram
#
DIAGRAM="m-w-s-ip6.png"
# IP protocol used by IPsec is IPv6
#
IPV6=1
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
