本测试中远程用户(roadwarrior)carol与网关moon建立连接。认证方式基于X.509证书,为了对远程用户进行授权,moon网关期望用户在IKEv2报文的CERT载荷中带有属性证书。carol主机具有组分别为sales和finance的两个证书,其中finance组的属性证书已经过期,已无效;所以,carol仅获得sales组的访问权限。
以下启动ikev2/acert-fallback测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。
$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests ikev2/acert-fallback
Guest kernel : 5.2.11
strongSwan : 5.8.1
Date : 20191030-1120-27
[ ok ] 1 ikev2/acert-fallback: pre..test..post
Passed : 1
Failed : 0
The results are available in /srv/strongswan-testing/testresults/20191030-1120-27
or via the link http://192.168.0.150/testresults/20191030-1120-27
Finished : 220191030-1120-33
由以上显示可知测试用例ikev2/acert-fallback的测试结果记录文件保存在目录:/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback/中,这些文件记录了测试过程中虚拟主机carol和网关moon的各种状态信息和运行日志。测试拓扑如下:
carol配置
连接配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf,内容如下。虚拟主机carol的IP地址为192.168.0.100,而moon网关的IP地址为192.168.0.1。
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn home
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
keyexchange=ikev2
auto=add
StrongSwan配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf,内容如下,指定需要加载的模块。
charon {
load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
另外,在本次测试中,还为carol主机提供了两个属性证书:carol-finance-expired.pem和carol-sales.pem。以下为前者的信息,可见其groups字段为finance,但是有效期已经过期。
$ cd strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/
$
$ pki --print --type ac --in carol-finance-expired.pem
subject: "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
validity: not before Sep 14 08:37:52 2019, ok
not after Sep 15 08:37:52 2019, expired (45 days ago)
serial: 65:cb:97:37:1d:53:3f:49
hissuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
hserial: 01
groups: finance
authkey: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71
以下为属性证书carol-sales.pem的信息,其groups字段为sales,并且在有效期内。
$ pki --print --type ac --in carol-sales.pem
subject: "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
validity: not before Sep 15 08:37:52 2019, ok
not after Sep 14 08:37:52 2027, ok (expires in 2875 days)
serial: 33:bd:8a:19:d5:43:94:d3
hissuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
hserial: 01
groups: sales
authkey: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71
moon网关配置
配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf,内容如下。其中配置了两个连接:finance和sales,其中前者要求组为finance,可访问10.1.0.10/32网段,仅一个主机alice。后者,要求组为sales,可访问10.1.0.20/32网段,仅一个主机venus。
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn finance
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.10/32
leftfirewall=yes
right=%any
rightid=*@strongswan.org
rightgroups=finance
keyexchange=ikev2
auto=add
conn sales
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftsubnet=10.1.0.20/32
leftfirewall=yes
right=%any
rightgroups=sales
keyexchange=ikev2
auto=add
moon网关使用的证书如下:
$ ls strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ -R
ipsec.d/aacerts/aaCert.pem
ipsec.d/private/aaKey.pem
以下为moon网关的证书,其颁发者为:strongSwan Root CA,而本身的CN为:strongSwan Attribute Authority。
$ pki --print --type x509 --in strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
subject: "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
validity: not before Sep 14 08:37:52 2019, ok
not after Sep 14 08:37:52 2028, ok (expires in 3241 days)
serial: 17
flags:
CRL URIs: http://crl.strongswan.org/strongswan.crl
authkeyId: 7e:a0:7b:77:a5:91:58:79:df:35:eb:4e:fc:0f:b6:b8:68:ae:a2:47
subjkeyId: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71
pubkey: RSA 3072 bits
keyid: b4:5c:07:1b:d6:cf:dc:68:7c:c9:2a:5d:ca:5d:47:ce:3f:27:9f:b1
subjkey: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71
StrongSwan配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。
charon {
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}
准备阶段
配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/pretest.dat,内容如下。在预测试pre-test阶段,备份moon网关以及carol主机的iptables规则配置。启动strongswan。使用脚本expect-connection在moon网关和carol主机上检测名称为:finance,sales和home的连接是否建立。在carol主机上启动home子连接。
通过之前的介绍已经在carol主机以及moon网关的配置文件(etc/ipsec.conf)中看到了home和finance,sales连接的配置信息。
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
moon::expect-connection finance
moon::expect-connection sales
carol::expect-connection home
carol::ipsec up home
测试阶段
配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/evaltest.dat,内容如下。首先在carol主机检查到moon网关的连接状态,以及在moon网关上检测dave和carol的连接状态,前者应检查不到,后者carol的连接状态应为ESTABLISHED。其次,在moon网关上检测strongswan进程的日志信息,确认finance组验证失败。
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES
以下测试语句,在carol主机上ping主机alice和venus的IP地址,前者应没有响应;后者应能够收到回复。最后两行测试语句在moon网关检查tcpdump日志,确认ESP加密的ping报文。
carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
收尾阶段
配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/posttest.dat,内容如下。停止carol主机和moon网关上的strongswan进程。恢复moon网关和carol主机上的iptables规则配置。最后删除测试中使用到的证书相关文件。
moon::ipsec stop
carol::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
carol::rm /etc/ipsec.d/acerts/carol-sales.pem
carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
moon::rm /etc/ipsec.d/private/aaKey.pem
moon::rm /etc/ipsec.d/aacerts/aaCert.pem
测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback下,其中文件console.log 记录了整个的测试过程。文件carol.daemon.log和moon.daemon.log记录了charon-systemd主进程的日志。以下为moon主机的日志信息,可见carol的sales证书由于组与finance连接不匹配,转向使用sales连接:
moon charon: 14[IKE] received attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
moon charon: 14[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]
moon charon: 14[CFG] selected peer config 'finance'
moon charon: 14[CFG] using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 14[CFG] verifying attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
moon charon: 14[CFG] constraint check failed: group membership to 'finance' required
moon charon: 14[CFG] selected peer config 'finance' unacceptable: non-matching authentication done
moon charon: 14[CFG] switching to peer config 'sales'
END