本测试主要验证moon与sun主机使用AH协议的传输模式建立连接的场景,使用AES-XCBC算法。本次测试拓扑如下:
配置
sun的配置文件:ikev2/host2host-ah/hosts/sun/etc/ipsec.conf,内容如下,主要注意是这里的type字段值transport,指定使用传输模式。ah字段表明AH协议封装采用AES-XCBC校验算法。
conn %default
keyexchange=ikev2
conn host-host
left=PH_IP_SUN
leftcert=sunCert.pem
leftid=@sun.strongswan.org
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
type=transport
ah=aesxcbc
auto=add
sun的配置文件:ikev2/host2host-ah/hosts/sun/etc/strongswan.conf,内容如下,字段multiple_authentication等于no,禁用RFC 4739定义的多认证模式。
charon {
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
moon的配置文件:ikev2/host2host-ah/hosts/moon/etc/ipsec.conf,内容如下,与sun配置基本相同。
conn %default
keyexchange=ikev2
conn host-host
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
right=PH_IP_SUN
rightid=@sun.strongswan.org
type=transport
ah=aesxcbc
auto=add
测试准备阶段
配置文件:ikev2/host2host-ah/pretest.dat,内容为通常的ipsec连接的启动语句。
测试阶段
配置文件:ikev2/host2host-ah/evaltest.dat内容如下。首先确认moon主机和sun主机连接(host-host)是否建立以及表示传输模式的TRANSPORT关键字。之后,在主机moon上使用ping命令测试到sun主机的连通性。
moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
以下为moon主机上ipsec status命令的输出结果,可见匹配字符串“INSTALLED, TRANSPORT”,子连接host-host{1}使用AES_XCBC_96校验算法。
Connections:
host-host: 192.168.0.1...192.168.0.2 IKEv2
host-host: local: [moon.strongswan.org] uses public key authentication
host-host: cert: "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
host-host: remote: [sun.strongswan.org] uses public key authentication
host-host: child: dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
host-host[1]: ESTABLISHED 0 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
host-host[1]: IKEv2 SPIs: 791d46bf9115e20f_i* 89a6562649552b85_r, public key reauthentication in 2 hours
host-host[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
host-host{1}: INSTALLED, TRANSPORT, reqid 1, AH SPIs: ca502c63_i c2b92a13_o
host-host{1}: AES_XCBC_96, 64 bytes_i (1 pkt, 0s ago), 64 bytes_o (1 pkt, 0s ago), rekeying in 47 minutes
host-host{1}: 192.168.0.1/32 === 192.168.0.2/32
以下为moon主机发送的ping请求报文,可见AH报头,以及其中的发送方向SPI: c2b92a13。
strongswan测试版本: 5.8.1
END