SWAN之ikev2协议multi-level-ca-cr-resp配置测试

最新推荐文章于 2020-05-07 18:38:01 发布
最新推荐文章于 2020-05-07 18:38:01 发布
阅读量385 收藏
点赞数
分类专栏: IPSecurity 文章标签: strongswan
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sinat_20184565/article/details/103038174
版权

本测试主要验证多级CA证书验证的功能,远程用户carol,dave与网关moon建立连接时,carol和dave使用中间CA证书以及中间CA所签发的实体证书,moon主机使用CA根证书。在认证过程中,carol和dave在IKE_AUTH请求消息中将中间CA证书发送给moon主机。本次测试拓扑如下:
在这里插入图片描述

carol主机配置

carol的配置文件:ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的证书由名称CN为:"strongSwan Root CA"的CA签发。

conn %default
        keyexchange=ikev2
        left=PH_IP_CAROL
        leftcert=carolCert.pem
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add

carol主机的CA证书文件researchCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem -noout -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = Research CA

carol主机的证书文件carolCert.pem内容如下,其有以上名称为"Research CA"的证书(researchCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem -noout -text                  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Research, CN = Research CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = carol@strongswan.org

dave主机配置

dave的配置文件:ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的证书由名称CN为:"strongSwan Root CA"的CA证书签发。

conn %default
        keyexchange=ikev2
        left=PH_IP_DAVE
        leftcert=daveCert.pem
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add

dave的CA证书文件salesCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA

dave主机的证书文件daveCert.pem内容如下,其有以上名称为"Sales CA"的证书(salesCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = dave@strongswan.org

网关配置

moon网关的配置文件:ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf,内容如下。ca段指定了moon主机使用的CA证书,以及CRL证书的地址。

另外,分别定义了两个连接。名称为alice的连接配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。

连接venus配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。由以上carol和dave主机的配置可知,两个主机的证书都满足要求,这里以rightid来区分两个远程用户连接。

moon主机没有中间CA证书:“Research CA"和"Sales CA”。

ca strongswan
        cacert=strongswanCert.pem
        crluri=http://crl.strongswan.org/strongswan.crl
        auto=add

conn %default
        keyexchange=ikev2
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftsendcert=ifasked
        leftid=@moon.strongswan.org

conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

测试准备阶段

配置文件:ikev2/multi-level-ca-cr-resp/pretest.dat,内容为通常的ipsec连接的启动语句。

测试阶段

配置文件:ikev2/multi-level-ca-cr-resp/evaltest.dat内容如下。在carol和dave主机的strongswan日志文件中,确认向对端(moon)发送中间证书的信息。在moon主机的strongswan日志中确认证书验证过程。

carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES

以下carol网关上strongswan进程的日志信息,在IKE_AUTH请求报文中,发送两个证书请求,一个是名称CN为:“strongSwan Root CA"的证书请求;另一个是CN为"Research CA"的证书请求。另外,发送本地的实体证书,CN为"arol@strongswan.org”,以及CN为"Research CA"的中间CA证书。

carol charon: 12[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (273 bytes)
carol charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
carol charon: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
carol charon: 12[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 12[IKE] sending cert request for "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 12[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 12[IKE] authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
carol charon: 12[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
carol charon: 12[IKE] sending issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 12[IKE] establishing CHILD_SA alice{1}
carol charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

如下图所示,carol的IKE_AUTH请求报文中包含两个CERT证书载荷。

在这里插入图片描述

以下为moon主机上strongswan进程日志中与carol相关的信息。moon网关在接收到的IKE_AUTH响应报文中,首先发现对CN为"strongSwan Root CA"证书的请求;之后又发现证书请求中包含不识别的CA,即carol发送的CA名称为"Research CA"的证书请求。

接下来,moon发现除了接收到carol的实体证书外,还接收到了中间CA证书,其CN为"Research CA"。

moon charon: 16[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1236 bytes)
moon charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
moon charon: 05[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[IKE] received 1 cert requests for an unknown ca
moon charon: 05[IKE] received end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[IKE] received issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org]

以上信息匹配到moon的配置的连接alice,虽然接收到的"Research CA"证书不可信,但是仍然使用它验证获取到的research.crl证书,再有此CRL证书验证carol证书的有效性。最后,获取strongswan.crl证书,由根证书"strongSwan Root CA"验证其有效性,在由此CRL证书验证中间CA证书"Research CA"的有效性。

moon charon: 05[CFG] selected peer config 'alice'
moon charon: 05[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[CFG]   using untrusted intermediate certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[CFG]   fetching crl from 'http://crl.strongswan.org/research.crl' ...
moon charon: 05[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   reached self-signed root ca with a path length of 0
moon charon: 05[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 05[CFG] certificate status is good
moon charon: 05[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
moon charon: 05[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 05[CFG] certificate status is good
moon charon: 05[CFG]   reached self-signed root ca with a path length of 1
moon charon: 05[IKE] authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful

strongswan测试版本: 5.8.1

END

redwingz
关注
专栏目录
linux ikev2 端口,ipsec使用的500端口和4500端口可以似乎被封杀了?
weixin_31232021的博客
05-11 1788
从几周前开始突然连不上了,ipsec start --nofork 前台运行打印的日志显示15[NET] received packet: from 116.253.84.217[500] to 162.243.153.127[500] (604 bytes)15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_...
strongswan 配置过程与问题
琪花亿草
04-24 2万+
一 过程参考:https://blog.csdn.net/gaojinshan/article/details/508205131.1 生成证书1)生成CA的密钥和证书:ipsec pki --gen --outform pem > caKey.pem ipsec pki --self --outform pem --in caKey.pem --dn "C=CN, O=TJ, CN=Tes...
使用StrongSwan配置IPSec
热门推荐
Xiaowo
03-22 5万+
使用StrongSwan对IPSec进行研究,是一种很好的理解IPSec的实践。然而StrongSwan在使用的过程中实在是有太多的坑,网上的教程也多有不完整的地方,几乎没有能彻彻底底说明白每一步的,导致我在使用StrongSwan的过程中各种抓耳挠腮。程序员自然要造福程序员,在这里特将StrongSwan使用中所遇到的完整步骤记录下来,希望有所帮助。准备工作准备工作可不是简单地装个StrongSw
SWANikev2协议multi-level-ca-cr-init配置测试
redwingz的博客
11-12 563
测试主要验证多级CA证书验证的功能,远程用户moon与网关carol,dave建立连接时,carol和dave使用中间CA证书以及中间CA所签发的实体证书,moon主机使用CA根证书。在认证过程中,carol和dave在IKE_AUTH响应消息中将中间CA证书发送给moon主机。本次测试拓扑如下: carol网关配置 carol的配置文件:ikev2/multi-level-ca-cr-ini...
X509 证书详解
blue0bird的专栏
12-01 2万+
X509 证书详解 1 Certificates 1-1 Structure of a Certificate 1-2 Extensions informing a specific usage of a certficate 1-3 Certificate filename extensions 2 Certificate chains and cross-certifica
Multi-stage:基于7人集成,实时,可操作的海岸环流,风浪预报系统
03-18
核心模型ADCIRC + SWAN模型在每个周期受七个风力强迫。风强迫包括确定性的北美中尺度模型(NAM),集合平均值,集合平均值+ 1标准偏差和集合平均值-短距离区域集合预报(SREF)的1标准偏差和集合平均值
swan-aspnetcore:SWAN ASP.NET核心
05-28
Swan ASP.NET Core 3:我们都需要的东西 :star: 如果您觉得该项目有用,请加注星标! **注意:此存储库已存档。 ** 与ASP.NET Core 3.0应用程序一起使用的一组库。 此外,还包括用于配置项目的配置中间件和扩展。...
jupyter-extensions:适用于SWAN的Jupyter扩展
04-30
存储所有用于SWAN的Jupyter扩展的存储库。 浏览Hadoop扩展 帮助连接到CERN的Spark集群 实时监控笔记本生成的Apache Spark作业 - Contents Manager,具有项目功能和SWAN模板 适用于笔记本和实验室的SWAN帮助面板 ...
swan-10-03-12.tar.gz_OpencL_opencl cuda_swan
09-21
本文将重点讨论标题为"swan-10-03-12.tar.gz_OpencL_opencl cuda_swan"的压缩包中的Swan工具,这是一个辅助从CUDA到OpenCL移植的实用程序。 Swan的设计目标是为了简化开发人员的工作,帮助他们将原本基于CUDA的代码...
SWAN-INCOIS-Proposal-v3-compressed (1).docx_swan_incois_weather_
09-30
weather monitoring station for use on board a ship
strongswan-5.8.4.tar.bz2
09-24
最新的strongswan-5.8.4源码,主要可以在各种linux上进行移植使用,目前看兼容效果非常好,已经和华三、锐捷设备进行过对接,
使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通
weixin_43423965的博客
03-25 1万+
使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通 LibreSwan是IPsec协议的开源实现,它基于FreeSwan项目,可以在RedHat的Linux发行版上使用该软件包。本文我们将使用两台 libreswan 搭建 点对点的ipsec隧道,实现两idc内网互通
SWANikev2协议esp-alg-null配置测试
redwingz的博客
11-05 789
测试主要验证远程用户carol与网关moon建立连接时,通过在ipsec.conf文件中设置esp=null-sha256!,而采用ESP套件:NULL / HMAC_SHA256_128的过程。本次测试拓扑如下: carol主机配置 carol的配置文件:ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf,内容如下,IKE使用aes128-sha256...
IKEv2协议报文分片处理
redwingz的博客
12-10 2080
以下根据strongswan代码中的testing/tests/ikev2/net2net-fragmentation/中的测试环境,来看一下IKEv2协议的报文分片处理流程。拓扑结构如下: 拓扑图中使用到的设备包括:虚拟网关moon和sun网关。 网关配置 moon的配置文件:/etc/ipsec.conf,内容如下。注意此处fragmentation字段的值为yes,可能的取值还有:no、a...
StrongSwan安装部署、配置使用方法总结
sway913的博客
05-07 2万+
StrongSwan官网:https://www.strongswan.org/ 下载地址:https://www.strongswan.org/download.html 一、StrongSwan安装 1.编译安装 1.我习惯创建/opt/package目录,用于存放下载的程序包文件 [root@ecs-e84a package]# mkdir -p /opt/package...
SWANikev2协议crl-ldap配置测试
redwingz的博客
11-04 757
测试主要验证远程用户carol和网关moon通过LDAP协议由LDAP服务器获取CRL证书的功能,以及对CRL证书进行缓存的设置。测试开始时网关moon和远程用户carol开启了严格CRL策略,但是缓存在本地目录:/etc/ipsec.d/crls/目录下的CRL证书已经过期,因此需要由LDAP服务器winnetou(IP地址:192.168.0.150)重新获得CRL证书,之后,由于设置了ch...
SWANikev2协议compress配置测试
redwingz的博客
10-31 611
测试主要验证远程用户carol和moon网关之间的IPComp压缩功能,两次使用ping测试隧道连接的压缩与否,使用的报文长度不同,内核不压缩长度较小的报文。测试拓扑如下: 主机配置 carol的连接配置文件:ikev2/compress/hosts/carol/etc/ipsec.conf,内容如下,主要关注compress字段设置为yes,这真是本次测试的压缩功能。另外moon主机的配置于...
StrongSwan测试环境概述
redwingz的博客
10-24 3367
有关StrongSwan测试环境的搭建可参见:https://blog.csdn.net/sinat_20184565/article/details/100900670 由于已经搭建好了测试环境,将配置文件(strongswan-5.8.1/testing/testing.conf)中以下四项关闭,不用每次执行make-testing的时候,都进行创建,节省时间。 # Enable partic...
Failed to connect to cq-bbjf-swan-32-1:41834
最新发布
04-01
As an AI language model, I do not have enough information to accurately diagnose the issue. However, "Failed to connect" typically means that a connection was attempted but not successfully established. "cq-bbjf-swan-32-1:41834" appears to be a server or device name and port number. The issue could be due to a variety of reasons such as network connectivity issues, incorrect credentials, or the server being down. It is recommended to check the server status, network connection, and ensure that the correct credentials are being used. If the issue persists, contacting the server administrator or technical support may be necessary.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值