mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
merged xauth-id-rsa and xauth-rsa-config scenarios
This commit is contained in:
Andreas Steffen
parent
bbbffac3ab
commit
f39a2f275e
@ -3,6 +3,8 @@ The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certif
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
|
||||
respectively) and corresponding user passwords defined and stored in ipsec.secrets.
|
||||
Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config
|
||||
protocol by using the <b>leftsourceip=%config</b> parameter.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
@ -6,10 +6,10 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
|
||||
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
|
||||
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
|
||||
dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
@ -11,14 +11,15 @@ conn %default
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=pubkey
|
||||
leftauth2=xauth
|
||||
leftfirewall=yes
|
||||
xauth_identity=carol
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=pubkey
|
||||
xauth_identity=carol
|
||||
auto=add
|
||||
@ -17,6 +17,7 @@ conn home
|
||||
leftauth=pubkey
|
||||
leftauth2=xauth
|
||||
leftfirewall=yes
|
||||
xauth_identity=dave
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
@ -1,16 +0,0 @@
|
||||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
|
||||
moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||
@ -1,24 +0,0 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftcert=daveCert.pem
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=pubkey
|
||||
leftauth2=xauth
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=pubkey
|
||||
xauth_identity=dave
|
||||
auto=add
|
||||
@ -1,22 +0,0 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftauth=pubkey
|
||||
leftfirewall=yes
|
||||
right=%any
|
||||
rightauth=pubkey
|
||||
rightauth2=xauth
|
||||
auto=add
|
||||
@ -1,11 +0,0 @@
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
|
||||
The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
|
||||
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
|
||||
based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a
|
||||
<b>virtual IP</b> via the IKE Mode Config protocol by using the
|
||||
<b>leftsourceip=%config</b> parameter.
|
||||
<p>
|
||||
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
|
||||
inserts iptables-based firewall rules that let pass the tunneled traffic.
|
||||
In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
|
||||
<b>alice</b> behind the gateway <b>moon</b>.
|
||||
@ -1,24 +0,0 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftsourceip=%config
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=pubkey
|
||||
leftauth2=xauth
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=pubkey
|
||||
auto=add
|
||||
@ -1,5 +0,0 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
|
||||
|
||||
carol@strongswan.org : XAUTH "4iChxLT3"
|
||||
@ -1,9 +0,0 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
@ -1,5 +0,0 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA daveKey.pem
|
||||
|
||||
dave@strongswan.org : XAUTH "ryftzG4A"
|
||||
@ -1,9 +0,0 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
@ -1,7 +0,0 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : XAUTH "4iChxLT3"
|
||||
|
||||
dave@strongswan.org : XAUTH "ryftzG4A"
|
||||
@ -1,9 +0,0 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
|
||||
}
|
||||
|
||||
libstrongswan {
|
||||
dh_exponent_ansi_x9_42 = no
|
||||
}
|
||||
@ -1,6 +0,0 @@
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
||||
@ -1,9 +0,0 @@
|
||||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
@ -1,21 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
Loading…
x
Reference in New Issue
Block a user