本测试主要验证IKEv2守护进程自动选择IPSec安全关联本地地址的功能,其通过在内核的查找路由表获取通往远端IPSec对等体的IP地址,来关联本地源IP地址。主机moon和bob作为initiator设置auto=route,主机alice和sun作为responder设置auto=addd。在moon主机上ping主机alice和sun,同样的在主机bob上ping主机sun,由数据流来触发连接的建立。测试拓扑如下:
moon主机配置
连接配置文件:ikev2/any-interface/hosts/moon/etc/ipsec.conf,内容如下,在default的连接中将模式设置为transport,注意这里的left=%any,不指定本端的接口IP地址。接下来的连接alice和sun都将auto字段设置为route,这真是本次测试的功能。
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
type=transport
compress=yes
dpdaction=hold
dpddelay=10
left=%any
leftcert=moonCert.pem
conn alice
right=PH_IP_ALICE
rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org"
auto=route
conn sun
right=PH_IP_SUN
rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
auto=route
bob主机配置
连接配置文件:ikev2/any-interface/hosts/bob/etc/ipsec.conf,内容与以上moon主机的内容基本相同,只是少了一个到alice主机的连接,仅保留到sun主机(eth1接口)的连接,名称同样为sun。
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
type=transport
compress=yes
dpdaction=hold
dpddelay=10
left=%any
leftcert=bobCert.pem
conn sun
right=PH_IP_SUN1
rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org"
auto=route
alice主机配置
连接配置文件:ikev2/any-interface/hosts/alice/etc/ipsec.conf,内容如下。对于名称为remote的连接定义,其left和right字段都设置为%any,一方面要自动选取自身的通信地址,另一方面不限定对端的连接IP地址。字段auto设置为add。sun主机的配置与alice基本相同。
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
type=transport
compress=yes
dpdaction=clear
dpddelay=10
left=%any
leftcert=aliceCert.pem
conn remote
right=%any
auto=add
测试准备阶段
配置文件:ikev2/any-interface/pretest.dat,内容如下。在预测试pre-test阶段,启动四台参与测试的主机,在作为responder的主句alice和sun等待remote连接建立,在作为initiator的主机moon上确认名称为alice的连接的建立。完成之后,在moon主机上ping主机alice和sun。
最后在bob主机上确认名称为sun的连接的建立,并且在bob上ping主机sun的eth1接口地址。
winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
alice::ipsec start
moon::ipsec start
sun::ipsec start
bob::ipsec start
alice::expect-connection remote
sun::expect-connection remote
moon::expect-connection alice
moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE
moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN
bob::expect-connection sun
bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1
测试阶段
配置文件:ikev2/any-interface/evaltest.dat,首先在作为initiator的主机moon和bob上检查acquire job的日志,由于在moon和bob上发起ping操作之后,moon主机ping主机alice的IP地址10.1.0.10,bob主机ping主机sun的eth1接口地址10.2.0.1。两种情况下都会通过目的IP地址在内核中匹配到IPsec策略,而这时还没有建立SA,内核将向用户层发送acquire消息,如下为moon和bob接收到acquire消息的日志,acquire消息会将选择的本地出口IP地址发送到应用层。
moon:: cat /var/log/daemon.log::creating acquire job::YES
bob:: cat /var/log/daemon.log::creating acquire job::YES
以下为ipsec statusall的命令输出,注意Routed Connections字段,表明到sun主机的连接选择的本地端口为192.168.0.1,reqid为2;而到alice主机的连接的本地端口选择的为10.1.0.1,请求ID(reqid)为1。
Connections:
alice: %any...10.1.0.10 IKEv2, dpddelay=10s
alice: local: [C=CH, O=strongSwan Project, CN=moon.strongswan.org] uses public key authentication
alice: cert: "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
alice: remote: [C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org] uses public key authentication
alice: child: dynamic === dynamic TRANSPORT, dpdaction=hold
sun: %any...192.168.0.2 IKEv2, dpddelay=10s
sun: local: [C=CH, O=strongSwan Project, CN=moon.strongswan.org] uses public key authentication
sun: cert: "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
sun: remote: [C=CH, O=strongSwan Project, CN=sun.strongswan.org] uses public key authentication
sun: child: dynamic === dynamic TRANSPORT, dpdaction=hold
Routed Connections:
sun{2}: ROUTED, TRANSPORT, reqid 2
sun{2}: 192.168.0.1/32 === 192.168.0.2/32
alice{1}: ROUTED, TRANSPORT, reqid 1
alice{1}: 10.1.0.1/32 === 10.1.0.10/32
在对照以下moon主机上strongswan进程的日志信息,在接收到acquire消息之后,发起IKE连接请求。与以上内容对比reqid值,完全相同。
moon charon: 07[CFG] received stroke: route 'alice'
moon charon: 11[CFG] received stroke: route 'sun'
...
moon charon: 15[KNL] creating acquire job for policy 10.1.0.1/32[udp/56614] === 10.1.0.10/32[udp/1025] with reqid {1}
moon charon: 16[IKE] initiating IKE_SA alice[1] to 10.1.0.10
...
moon charon: 05[KNL] creating acquire job for policy 192.168.0.1/32[udp/46507] === 192.168.0.2/32[udp/1025] with reqid {2}
moon charon: 05[IKE] initiating IKE_SA sun[2] to 192.168.0.2
strongswan测试版本: 5.8.1
END