本测试中远程用户(roadwarrior) carol与网关moon使用内核的加密套接口af_alg(代码位于内核文件crypto/af_alg.c)进行所有的对称加密和哈希计算,另外远程用户dave使用strongswan默认的加密插件:aes、des、sha1、sha2、md5或gmp进行相应操作。
远程用户carol和dave分别建立到网关moon的连接,认证使用X.509证书方式。连接成功建立之后,carol和dave分别ping网关moon之后的虚拟主机alice,以验证连通性。
以下启动af-alg/rw-cert测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。
$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests af-alg/rw-cert
Guest kernel : 5.2.11
strongSwan : 5.8.1
Date : 20191028-0639-21
[ ok ] 1 af-alg/rw-cert: pre..test..post
Passed : 1
Failed : 0
The results are available in /srv/strongswan-testing/testresults/20191028-0639-21
or via the link http://192.168.0.150/testresults/20191028-0639-21
Finished : 20191028-0639-33
以下为测试用例af-alg/rw-cert的测试结果记录文件。
$ ls /srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/
carol.auth.log carol.swanctl.conf dave.ipsec.sql dave.swanctl.stats moon.swanctl.authorities
carol.daemon.log carol.swanctl.conns dave.iptables index.html moon.swanctl.certs
carol.ip.policy carol.swanctl.pols dave.iptables-save moon.auth.log moon.swanctl.conf
carol.ip.route carol.swanctl.pools dave.strongswan.conf moon.daemon.log moon.swanctl.conns
carol.ip.state carol.swanctl.sas dave.swanctl.algs moon.ip.policy moon.swanctl.pols
carol.ipsec.sql carol.swanctl.stats dave.swanctl.authorities moon.ip.route moon.swanctl.pools
carol.iptables console.log dave.swanctl.certs moon.ip.state moon.swanctl.sas
carol.iptables-save dave.auth.log dave.swanctl.conf moon.ipsec.sql moon.swanctl.stats
carol.strongswan.conf dave.daemon.log dave.swanctl.conns moon.iptables moon.tcpdump.log
carol.swanctl.algs dave.ip.policy dave.swanctl.pols moon.iptables-save
carol.swanctl.authorities dave.ip.route dave.swanctl.pools moon.strongswan.conf
carol.swanctl.certs dave.ip.state dave.swanctl.sas moon.swanctl.algs
以上测试结果文件记录了测试过程中虚拟主机carol和dave,以及网关moon的各种状态信息和运行日志。测试拓扑如下:
测试配置文件
配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/test.conf,内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图,如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信,而不是ipsec命令。
VIRTHOSTS="alice moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
# charon controlled by swanctl
#
SWANCTL=1
carol配置
连接配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf,内容如下。虚拟主机carol的IP地址为192.168.0.100,而moon网关的IP地址为192.168.0.1。
另外,此连接(名称home)定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals,其值为3des-sha1-modp1536。以及IKE的proposal,值为3des-sha1-modp1536(三部分分别为加密算法,验证算法和Diffie-Hellman组)。version等于2表明使用IKEv2版本。
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = 3des-sha1-modp1536
}
}
version = 2
proposals = 3des-sha1-modp1536
}
}
StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf,内容如下,指定需要加载的模块。注意这里的af-alg模块为本测试中测试模块。
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
integrity_test = yes
crypto_test {
on_add = yes
}
}
其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf中的变量SWANCTL。
$ ls -R strongswan-5.8.1/testing/hosts/carol/
hosts/carol/etc/hostname
hosts/carol/etc/ipsec.conf
hosts/carol/etc/ipsec.secrets
hosts/carol/etc/strongswan.conf
hosts/carol/etc/ipsec.d/ipsec.sql
hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/carol/etc/ipsec.d/certs/carolCert.pem
hosts/carol/etc/ipsec.d/private/carolKey.pem
hosts/carol/etc/network/interfaces
hosts/carol/etc/swanctl/rsa/carolKey.pem
hosts/carol/etc/swanctl/x509/carolCert.pem
hosts/carol/etc/swanctl/x509ca/strongswanCert.pem
network子目录下的文件interfaces,用于设置alice主机的网络接口eth0的IP地址信息。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.254
iface eth0 inet6 static
address fec0::10
netmask 16
dave主机配置
连接配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf,内容如下。虚拟主机dave的IP地址为192.168.0.200,而moon网关的IP地址为192.168.0.1。
另外,此连接(名称home)定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals,其值为aes128-sha256-modp3072。以及IKE的proposal,值为aes128-sha256-modp3072(三部分分别为加密算法,验证算法和Diffie-Hellman组)。version等于2表明使用IKEv2版本。
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = pubkey
certs = daveCert.pem
id = dave@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128-sha256-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
}
}
StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf,内容如下,指定需要加载的模块。注意与carol主机不同,这里没有加载af-alg模块,而是使用strongswan插件aes des sha1 sha2 md5。
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici
integrity_test = yes
crypto_test {
on_add = yes
}
}
其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf中的变量SWANCTL的设置。
$ ls -R strongswan-5.8.1/testing/hosts/dave/
hosts/dave/etc/hostname
hosts/dave/etc/ipsec.conf
hosts/dave/etc/ipsec.secrets
hosts/dave/etc/strongswan.conf
hosts/dave/etc/ipsec.d/ipsec.sql
hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/dave/etc/ipsec.d/certs/daveCert.pem
hosts/dave/etc/ipsec.d/private/daveKey.pem
hosts/dave/etc/network/interfaces
hosts/dave/etc/swanctl/rsa/daveKey.pem
hosts/dave/etc/swanctl/x509/daveCert.pem
hosts/dave/etc/swanctl/x509ca/strongswanCert.pem
network子目录下的文件interfaces,用于设置dave主机的网络接口eth0的IP地址信息。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.200
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.254
iface eth0 inet6 static
address fec0::20
netmask 16
moon网关配置
配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-alg/hosts/moon/etc/swanctl/swanctl.conf,内容如下。注意网关moon的连接配置,每一种proposals都配置了两个。rw连接的proposals和子连接net的esp_proposals都设置为:aes128-sha256-modp3072和3des-sha1-modp1536,前者用于与主机dave建立连接;后者用于与主机carol建立连接。IKE使用IKEv2版。
作为网关,其事先并不知晓连接对端的IP地址信息,此处只有local_addrs的配置。
connections {
rw {
local_addrs = 192.168.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536
}
}
version = 2
proposals = aes128-sha256-modp3072,3des-sha1-modp1536
}
}
StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。与虚拟主机carol相同,moon网关使用af-alg模块,即使用内核提供的对称加密接口。
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
integrity_test = yes
crypto_test {
on_add = yes
}
}
其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件,还有rc.local文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf,中的变量SWANCTL。
$ ls -R strongswan-5.8.1/testing/hosts/moon/
hosts/moon/etc/hostname
hosts/moon/etc/ipsec.conf
hosts/moon/etc/ipsec.secrets
hosts/moon/etc/rc.local
hosts/moon/etc/strongswan.conf
hosts/moon/etc/ipsec.d/ipsec.sql
hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/moon/etc/ipsec.d/certs/moonCert.pem
hosts/moon/etc/ipsec.d/private/moonKey.pem
hosts/moon/etc/network/interfaces
hosts/moon/etc/swanctl/rsa/moonKey.pem
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
network子目录下的文件interfaces,用于设置moon主机的两个网络接口eth0和eth1的IP地址信息。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.254
iface eth0 inet6 static
address fec0::1
netmask 16
auto eth1
iface eth1 inet static
address 10.1.0.1
netmask 255.255.0.0
broadcast 10.1.255.255
iface eth1 inet6 static
address fec1::1
netmask 16
准备阶段
配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-alg/pretest.dat,内容如下。在预测试pre-test阶段,备份moon、carol和dave主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为net的连接(carol和dave主机上为home)是否建立,超过5秒钟检测不到,打印失败信息。swanctl在carol和dave主机上分别初始化一个名称为home的子连接。
通过之前的介绍已经在carol和dave主机,以及moon网关的各自配置文件(/etc/swanctl/swanctl.conf)中看到了home和net的配置信息。
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection net
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null
脚本expect-connection的内容如下。如果/etc/strongswan.conf文件中加载了stroke模块,或者DAEMON_NAME变量有值,将使用ipsec statusall命令查看连接信息;否则使用swanctl --list-conns查看。由以上介绍的文件strongswan.conf可知,并未加载stroke模块。使用swanctl查看连接信息,并在moon主机上检查是否存在名称为net的连接,在carol和dave主机上检查是否存在home连接。默认的检测时长为5秒,可在命令行中指定此值。
secs=$2
[ ! $secs ] && secs=5
cmd="swanctl --list-conns"
grep 'load.*stroke' /etc/strongswan.conf >/dev/null
if [ $? -eq 0 -o -n "$DAEMON_NAME" ]; then
cmd="ipsec statusall"
fi
let steps=$secs*10
for i in `seq 1 $steps`
do
$cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null
[ $? -eq 0 ] && exit 0
sleep 0.1
done
echo "Connection '$1' not available after $secs second(s)"
exit 1
测试阶段
配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/evaltest.dat,内容如下。在第一行中,SSH登录到carol主机执行ping命令,并且期待alice返回的信息符合pattern:(128 bytes from PH_IP_ALICE: icmp_.eq=1)。其中PH_IP_ALICE为alice主机的IP地址。第二行测试语句,与第一行类似,此处登录到dave主机执行ping主机alice的操作。
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
第三行测试语句登录到carol主机中,使用命令swanctl --list-sas --raw显示安全关联SA的信息,在其中匹配随后的模式pattern字段,这个比较长。主要包括连接名称:home;状态:ESTABLISHED;本地地址:192.168.0.100:4500;ID信息carol@strongswan.org;远端地址信息:192.168.0.1:4500。远端IDmoon.strongswan.org。加密算法:3DES_CBC;验证算法:HMAC_SHA1_96;dh-group:MODP_1536等等。可见与以上rw-alg/hosts/carol/etc/swanctl/swanctl.conf中的配置相符。
子连接的SA匹配信息有,协议protocol字段:ESP;加密算法encr-alg字段:3DES_CBC;以及本地和远端流量选择符(ts),与以上文件swanctl.conf中的child连接配置相符。以下为carol虚拟主机执行swanctl --list-sas的显示信息,可见与测试文件evaltest.dat的第二行完全匹配。
home: #1, ESTABLISHED, IKEv2, 49db35646f699012_i* eab573efbb8c04a3_r
local 'carol@strongswan.org' @ 192.168.0.100[4500]
remote 'moon.strongswan.org' @ 192.168.0.1[4500]
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
established 3s ago, rekeying in 13888s
home: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96
installed 3s ago, rekeying in 3261s, expires in 3957s
in c581b081, 84 bytes, 1 packets, 3s ago
out c96186f4, 84 bytes, 1 packets, 3s ago
local 192.168.0.100/32
remote 10.1.0.0/16
第四行测试语句与第三行类似,此处登录的dave主机上执行swanctl --list-sas --raw命令检查输出结果,进行匹配操作。以下为dave虚拟主机上执行swanctl命令的输出:
home: #1, ESTABLISHED, IKEv2, 623e88f6d5f105df_i* 740a8cf8e50d48e0_r
local 'dave@strongswan.org' @ 192.168.0.200[4500]
remote 'moon.strongswan.org' @ 192.168.0.1[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
established 4s ago, rekeying in 13234s
home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
installed 4s ago, rekeying in 3236s, expires in 3956s
in cc0b2e38, 84 bytes, 1 packets, 3s ago
out c77009a8, 84 bytes, 1 packets, 3s ago
local 192.168.0.200/32
remote 10.1.0.0/16
第五行和第六行测试语句,都在moon网关上执行,这里分别使用命令swanctl --list-sas --ike-id 1 --raw和swanctl --list-sas --ike-id 2 --raw显示IKE ID为1和2的SA信息。由于在pretest.dat文件中首先执行的carol主机的测试,其在moon网关上对于的IKE ID应为1。dave主机对应的IKE ID为2。moon网关上执行swanctl --list-conns命令列出所有SA的结果如下显示。
rw: #2, ESTABLISHED, IKEv2, 623e88f6d5f105df_i 740a8cf8e50d48e0_r*
local 'moon.strongswan.org' @ 192.168.0.1[4500]
remote 'dave@strongswan.org' @ 192.168.0.200[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
established 3s ago, rekeying in 13524s
net: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
installed 3s ago, rekeying in 3403s, expires in 3957s
in c77009a8, 84 bytes, 1 packets, 3s ago
out cc0b2e38, 84 bytes, 1 packets, 3s ago
local 10.1.0.0/16
remote 192.168.0.200/32
rw: #1, ESTABLISHED, IKEv2, 49db35646f699012_i eab573efbb8c04a3_r*
local 'moon.strongswan.org' @ 192.168.0.1[4500]
remote 'carol@strongswan.org' @ 192.168.0.100[4500]
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
established 3s ago, rekeying in 13173s
net: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96
installed 3s ago, rekeying in 3408s, expires in 3957s
in c96186f4, 84 bytes, 1 packets, 3s ago
out c581b081, 84 bytes, 1 packets, 3s ago
local 10.1.0.0/16
remote 192.168.0.100/32
最后4行测试语句都是在moon网关上执行的,这里的tcpdump命令并不执行,而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息,确认carol与moon,以及dave和moon之间的ESP加密的ping报文是否正常。
23 06:39:34.565750 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc96186f4,seq=0x1), length 116
24 06:39:34.565832 IP carol.strongswan.org > alice.strongswan.org: ICMP echo request, id 4804, seq 1, length 64
25 06:39:34.566274 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc581b081,seq=0x1), length 116
26 06:39:34.605771 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xc77009a8,seq=0x1), length 136
27 06:39:34.605846 IP dave.strongswan.org > alice.strongswan.org: ICMP echo request, id 4228, seq 1, length 64
28 06:39:34.609893 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xcc0b2e38,seq=0x1), length 136
防火墙规则
以下为测试过程中,在虚拟主机carol的filter表中加入的规则,规则的配置由swanctl.conf文件中指定的updown脚本完成(/usr/local/libexec/ipsec/_updown iptables)。在hook点INPUT上,允许UDP源和目的端口同时为500或者4500的报文,前者为IKE协议端口,后者为NAT-T使用的端口号,另外允许ESP和AH协议的报文通过,由于此测试使用ESP协议,以下AH规则的计数为空。在INPUT点上,源IP为10.1.0.0/16,目的IP为192.168.0.100的报文匹配入方向的IPSEC策略,reqid为1,协议号为50(ESP)。
在hook点OUTPUT上源IP为192.168.0.100,目的IP为10.1.0.0/16的报文匹配出方向的IPSEC策略,reqid为1,协议号为50(ESP)。
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all -- eth0 * 10.1.0.0/16 192.168.0.100 policy match dir in pol ipsec reqid 1 proto 50
1 136 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 455 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
2 1944 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all -- * eth0 192.168.0.100 10.1.0.0/16 policy match dir out pol ipsec reqid 1 proto 50
1 136 ACCEPT esp -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * eth0 0.0.0.0/0 0.0.0.0/0
1 422 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
2 2008 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
以下为在主机carol上使用ip -s xfrm policy显示的IPSec策略:
src 192.168.0.100/32 dst 10.1.0.0/16 uid 0
dir out action allow index 433 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-10-28 06:39:38 use 2019-10-28 06:39:38
tmpl src 192.168.0.100 dst 192.168.0.1
proto esp spi 0xc96186f4(3378611956) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.0.0/16 dst 192.168.0.100/32 uid 0
dir in action allow index 416 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-10-28 06:39:38 use 2019-10-28 06:39:38
tmpl src 192.168.0.1 dst 192.168.0.100
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
虚拟主机dave的iptables配置与以上类似。但是网关moon上配置略有不同,其IPSEC策略配置在hook点FORWORD上。
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT all -- eth0 * 192.168.0.200 10.1.0.0/16 policy match dir in pol ipsec reqid 2 proto 50
1 84 ACCEPT all -- * eth0 10.1.0.0/16 192.168.0.200 policy match dir out pol ipsec reqid 2 proto 50
1 84 ACCEPT all -- eth0 * 192.168.0.100 10.1.0.0/16 policy match dir in pol ipsec reqid 1 proto 50
1 84 ACCEPT all -- * eth0 10.1.0.0/16 192.168.0.100 policy match dir out pol ipsec reqid 1 proto 50
收尾阶段
配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/posttest.dat,内容如下。其中第一行断开carol虚拟主机上名称为home的连接。第二行断开dave主机上名称为home的连接。第三、四、五行终止carol、dave和moon网关上的StrongSwan进程。最后三行恢复moon网关以及carol和dave主机上的iptables规则。
carol::swanctl --terminate --ike home
dave::swanctl --terminate --ike home
carol::systemctl stop strongswan
dave::systemctl stop strongswan
moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/下,其中文件console.log 记录了整个的测试过程。文件carol.daemon.log、dave.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。
附件为tcpdump抓取到的报文。
END
扫一扫
8074
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
