SWAN测试用例af-alg/rw-cert

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试中远程用户(roadwarrior) carol与网关moon使用内核的加密套接口af_alg(代码位于内核文件crypto/af_alg.c)进行所有的对称加密和哈希计算,另外远程用户dave使用strongswan默认的加密插件:aes、des、sha1、sha2、md5或gmp进行相应操作。

远程用户carol和dave分别建立到网关moon的连接,认证使用X.509证书方式。连接成功建立之后,carol和dave分别ping网关moon之后的虚拟主机alice,以验证连通性。

以下启动af-alg/rw-cert测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests af-alg/rw-cert
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191028-0639-21

[ ok ]  1 af-alg/rw-cert: pre..test..post

Passed : 1
Failed : 0

The results are available in /srv/strongswan-testing/testresults/20191028-0639-21
or via the link http://192.168.0.150/testresults/20191028-0639-21

Finished : 20191028-0639-33

以下为测试用例af-alg/rw-cert的测试结果记录文件。

$ ls /srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/
carol.auth.log             carol.swanctl.conf   dave.ipsec.sql            dave.swanctl.stats    moon.swanctl.authorities
carol.daemon.log           carol.swanctl.conns  dave.iptables             index.html            moon.swanctl.certs
carol.ip.policy            carol.swanctl.pols   dave.iptables-save        moon.auth.log         moon.swanctl.conf
carol.ip.route             carol.swanctl.pools  dave.strongswan.conf      moon.daemon.log       moon.swanctl.conns
carol.ip.state             carol.swanctl.sas    dave.swanctl.algs         moon.ip.policy        moon.swanctl.pols
carol.ipsec.sql            carol.swanctl.stats  dave.swanctl.authorities  moon.ip.route         moon.swanctl.pools
carol.iptables             console.log          dave.swanctl.certs        moon.ip.state         moon.swanctl.sas
carol.iptables-save        dave.auth.log        dave.swanctl.conf         moon.ipsec.sql        moon.swanctl.stats
carol.strongswan.conf      dave.daemon.log      dave.swanctl.conns        moon.iptables         moon.tcpdump.log
carol.swanctl.algs         dave.ip.policy       dave.swanctl.pols         moon.iptables-save
carol.swanctl.authorities  dave.ip.route        dave.swanctl.pools        moon.strongswan.conf
carol.swanctl.certs        dave.ip.state        dave.swanctl.sas          moon.swanctl.algs

以上测试结果文件记录了测试过程中虚拟主机carol和dave,以及网关moon的各种状态信息和运行日志。测试拓扑如下:

在这里插入图片描述

测试配置文件

配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/test.conf,内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图,如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信,而不是ipsec命令。

VIRTHOSTS="alice moon carol winnetou dave"

# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"

# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"

# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

# charon controlled by swanctl
#
SWANCTL=1

carol配置

连接配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf,内容如下。虚拟主机carol的IP地址为192.168.0.100,而moon网关的IP地址为192.168.0.1。

另外,此连接(名称home)定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals,其值为3des-sha1-modp1536。以及IKE的proposal,值为3des-sha1-modp1536(三部分分别为加密算法,验证算法和Diffie-Hellman组)。version等于2表明使用IKEv2版本。

 connections {
 
    home {
       local_addrs  = 192.168.0.100
       remote_addrs = 192.168.0.1
 
       local {
          auth = pubkey
          certs = carolCert.pem
          id = carol@strongswan.org
       }
       remote {
          auth = pubkey
          id = moon.strongswan.org
       }
       children {
          home {
             remote_ts = 10.1.0.0/16
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             esp_proposals = 3des-sha1-modp1536
          }
       }
       version = 2
       proposals = 3des-sha1-modp1536
    }
 }

StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf,内容如下,指定需要加载的模块。注意这里的af-alg模块为本测试中测试模块。

 swanctl {
   load = pem pkcs1 x509 revocation constraints pubkey openssl random
 }
 
 charon-systemd {
   load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
   integrity_test = yes
   crypto_test {
     on_add = yes
   }
 }

其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/carol/ 

hosts/carol/etc/hostname
hosts/carol/etc/ipsec.conf
hosts/carol/etc/ipsec.secrets
hosts/carol/etc/strongswan.conf
hosts/carol/etc/ipsec.d/ipsec.sql
hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/carol/etc/ipsec.d/certs/carolCert.pem
hosts/carol/etc/ipsec.d/private/carolKey.pem
hosts/carol/etc/network/interfaces
hosts/carol/etc/swanctl/rsa/carolKey.pem
hosts/carol/etc/swanctl/x509/carolCert.pem
hosts/carol/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces,用于设置alice主机的网络接口eth0的IP地址信息。

 auto lo
 iface lo inet loopback
 
 auto eth0
 iface eth0 inet static
         address 192.168.0.100
         netmask 255.255.255.0
         broadcast 192.168.0.255
         gateway 192.168.0.254
 iface eth0 inet6 static
         address fec0::10
         netmask 16

dave主机配置

连接配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf,内容如下。虚拟主机dave的IP地址为192.168.0.200,而moon网关的IP地址为192.168.0.1。

另外,此连接(名称home)定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals,其值为aes128-sha256-modp3072。以及IKE的proposal,值为aes128-sha256-modp3072(三部分分别为加密算法,验证算法和Diffie-Hellman组)。version等于2表明使用IKEv2版本。

connections {

   home {
      local_addrs  = 192.168.0.200
      remote_addrs = 192.168.0.1 

      local {
         auth = pubkey
         certs = daveCert.pem
         id = dave@strongswan.org
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org 
      }
      children {
         home {
            remote_ts = 10.1.0.0/16 

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128-sha256-modp3072
         }
      }
      version = 2
      proposals = aes128-sha256-modp3072
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf,内容如下,指定需要加载的模块。注意与carol主机不同,这里没有加载af-alg模块,而是使用strongswan插件aes des sha1 sha2 md5。


swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}

charon-systemd {
  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici
  integrity_test = yes
  crypto_test {
    on_add = yes
  }
}

其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf中的变量SWANCTL的设置。

$ ls -R strongswan-5.8.1/testing/hosts/dave/ 

hosts/dave/etc/hostname
hosts/dave/etc/ipsec.conf
hosts/dave/etc/ipsec.secrets
hosts/dave/etc/strongswan.conf
hosts/dave/etc/ipsec.d/ipsec.sql
hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/dave/etc/ipsec.d/certs/daveCert.pem
hosts/dave/etc/ipsec.d/private/daveKey.pem
hosts/dave/etc/network/interfaces
hosts/dave/etc/swanctl/rsa/daveKey.pem
hosts/dave/etc/swanctl/x509/daveCert.pem
hosts/dave/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces,用于设置dave主机的网络接口eth0的IP地址信息。

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.0.200
        netmask 255.255.255.0
        broadcast 192.168.0.255
        gateway 192.168.0.254
iface eth0 inet6 static
        address fec0::20
        netmask 16

moon网关配置

配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-alg/hosts/moon/etc/swanctl/swanctl.conf,内容如下。注意网关moon的连接配置,每一种proposals都配置了两个。rw连接的proposals和子连接net的esp_proposals都设置为:aes128-sha256-modp3072和3des-sha1-modp1536,前者用于与主机dave建立连接;后者用于与主机carol建立连接。IKE使用IKEv2版。

作为网关,其事先并不知晓连接对端的IP地址信息,此处只有local_addrs的配置。

connections {

   rw {
      local_addrs  = 192.168.0.1

      local {
         auth = pubkey
         certs = moonCert.pem
         id = moon.strongswan.org
      }
      remote {
         auth = pubkey
      }
      children {
         net {
            local_ts  = 10.1.0.0/16 

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536
         }
      }
      version = 2
      proposals = aes128-sha256-modp3072,3des-sha1-modp1536 
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。与虚拟主机carol相同,moon网关使用af-alg模块,即使用内核提供的对称加密接口。

swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}

charon-systemd {
  load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
  integrity_test = yes
  crypto_test {
    on_add = yes
  }
}

其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件,还有rc.local文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/af-alg/rw-cert/test.conf,中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/moon/ 

hosts/moon/etc/hostname
hosts/moon/etc/ipsec.conf
hosts/moon/etc/ipsec.secrets
hosts/moon/etc/rc.local
hosts/moon/etc/strongswan.conf
hosts/moon/etc/ipsec.d/ipsec.sql
hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/moon/etc/ipsec.d/certs/moonCert.pem
hosts/moon/etc/ipsec.d/private/moonKey.pem
hosts/moon/etc/network/interfaces
hosts/moon/etc/swanctl/rsa/moonKey.pem
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces,用于设置moon主机的两个网络接口eth0和eth1的IP地址信息。

 auto lo
 iface lo inet loopback
 
 auto eth0
 iface eth0 inet static
         address 192.168.0.1
         netmask 255.255.255.0
         broadcast 192.168.0.255
         gateway 192.168.0.254
 iface eth0 inet6 static
         address fec0::1
         netmask 16
 
 auto eth1
 iface eth1 inet static
         address 10.1.0.1
         netmask 255.255.0.0
         broadcast 10.1.255.255
 iface eth1 inet6 static
         address fec1::1
         netmask 16

准备阶段

配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-alg/pretest.dat,内容如下。在预测试pre-test阶段,备份moon、carol和dave主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为net的连接(carol和dave主机上为home)是否建立,超过5秒钟检测不到,打印失败信息。swanctl在carol和dave主机上分别初始化一个名称为home的子连接。

通过之前的介绍已经在carol和dave主机,以及moon网关的各自配置文件(/etc/swanctl/swanctl.conf)中看到了home和net的配置信息。

moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection net 
carol::expect-connection home 
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null

脚本expect-connection的内容如下。如果/etc/strongswan.conf文件中加载了stroke模块,或者DAEMON_NAME变量有值,将使用ipsec statusall命令查看连接信息;否则使用swanctl --list-conns查看。由以上介绍的文件strongswan.conf可知,并未加载stroke模块。使用swanctl查看连接信息,并在moon主机上检查是否存在名称为net的连接,在carol和dave主机上检查是否存在home连接。默认的检测时长为5秒,可在命令行中指定此值。

secs=$2
[ ! $secs ] && secs=5

cmd="swanctl --list-conns"
grep 'load.*stroke' /etc/strongswan.conf >/dev/null
if [ $? -eq 0 -o -n "$DAEMON_NAME" ]; then
        cmd="ipsec statusall"
fi

let steps=$secs*10
for i in `seq 1 $steps`
do
        $cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null
        [ $? -eq 0 ] && exit 0
        sleep 0.1
done

echo "Connection '$1' not available after $secs second(s)"
exit 1

测试阶段

配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/evaltest.dat,内容如下。在第一行中,SSH登录到carol主机执行ping命令,并且期待alice返回的信息符合pattern:(128 bytes from PH_IP_ALICE: icmp_.eq=1)。其中PH_IP_ALICE为alice主机的IP地址。第二行测试语句,与第一行类似,此处登录到dave主机执行ping主机alice的操作。

carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

第三行测试语句登录到carol主机中,使用命令swanctl --list-sas --raw显示安全关联SA的信息,在其中匹配随后的模式pattern字段,这个比较长。主要包括连接名称:home;状态:ESTABLISHED;本地地址:192.168.0.100:4500;ID信息carol@strongswan.org;远端地址信息:192.168.0.1:4500。远端IDmoon.strongswan.org。加密算法:3DES_CBC;验证算法:HMAC_SHA1_96;dh-group:MODP_1536等等。可见与以上rw-alg/hosts/carol/etc/swanctl/swanctl.conf中的配置相符。

子连接的SA匹配信息有,协议protocol字段:ESP;加密算法encr-alg字段:3DES_CBC;以及本地和远端流量选择符(ts),与以上文件swanctl.conf中的child连接配置相符。以下为carol虚拟主机执行swanctl --list-sas的显示信息,可见与测试文件evaltest.dat的第二行完全匹配。

home: #1, ESTABLISHED, IKEv2, 49db35646f699012_i* eab573efbb8c04a3_r
  local  'carol@strongswan.org' @ 192.168.0.100[4500]
  remote 'moon.strongswan.org' @ 192.168.0.1[4500]
  3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
  established 3s ago, rekeying in 13888s
  home: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96
    installed 3s ago, rekeying in 3261s, expires in 3957s
    in  c581b081,     84 bytes,     1 packets,     3s ago
    out c96186f4,     84 bytes,     1 packets,     3s ago
    local  192.168.0.100/32
    remote 10.1.0.0/16

第四行测试语句与第三行类似,此处登录的dave主机上执行swanctl --list-sas --raw命令检查输出结果,进行匹配操作。以下为dave虚拟主机上执行swanctl命令的输出:

home: #1, ESTABLISHED, IKEv2, 623e88f6d5f105df_i* 740a8cf8e50d48e0_r
  local  'dave@strongswan.org' @ 192.168.0.200[4500]
  remote 'moon.strongswan.org' @ 192.168.0.1[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
  established 4s ago, rekeying in 13234s
  home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 4s ago, rekeying in 3236s, expires in 3956s
    in  cc0b2e38,     84 bytes,     1 packets,     3s ago
    out c77009a8,     84 bytes,     1 packets,     3s ago
    local  192.168.0.200/32
    remote 10.1.0.0/16

第五行和第六行测试语句,都在moon网关上执行,这里分别使用命令swanctl --list-sas --ike-id 1 --raw和swanctl --list-sas --ike-id 2 --raw显示IKE ID为1和2的SA信息。由于在pretest.dat文件中首先执行的carol主机的测试,其在moon网关上对于的IKE ID应为1。dave主机对应的IKE ID为2。moon网关上执行swanctl --list-conns命令列出所有SA的结果如下显示。

rw: #2, ESTABLISHED, IKEv2, 623e88f6d5f105df_i 740a8cf8e50d48e0_r*
  local  'moon.strongswan.org' @ 192.168.0.1[4500]
  remote 'dave@strongswan.org' @ 192.168.0.200[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
  established 3s ago, rekeying in 13524s
  net: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 3s ago, rekeying in 3403s, expires in 3957s
    in  c77009a8,     84 bytes,     1 packets,     3s ago
    out cc0b2e38,     84 bytes,     1 packets,     3s ago
    local  10.1.0.0/16
    remote 192.168.0.200/32
rw: #1, ESTABLISHED, IKEv2, 49db35646f699012_i eab573efbb8c04a3_r*
  local  'moon.strongswan.org' @ 192.168.0.1[4500]
  remote 'carol@strongswan.org' @ 192.168.0.100[4500]
  3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
  established 3s ago, rekeying in 13173s
  net: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96
    installed 3s ago, rekeying in 3408s, expires in 3957s
    in  c96186f4,     84 bytes,     1 packets,     3s ago
    out c581b081,     84 bytes,     1 packets,     3s ago
    local  10.1.0.0/16
    remote 192.168.0.100/32

最后4行测试语句都是在moon网关上执行的,这里的tcpdump命令并不执行,而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息,确认carol与moon,以及dave和moon之间的ESP加密的ping报文是否正常。

 23 06:39:34.565750 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc96186f4,seq=0x1), length 116
 24 06:39:34.565832 IP carol.strongswan.org > alice.strongswan.org: ICMP echo request, id 4804, seq 1, length 64
 25 06:39:34.566274 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc581b081,seq=0x1), length 116
 26 06:39:34.605771 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xc77009a8,seq=0x1), length 136
 27 06:39:34.605846 IP dave.strongswan.org > alice.strongswan.org: ICMP echo request, id 4228, seq 1, length 64
 28 06:39:34.609893 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xcc0b2e38,seq=0x1), length 136
防火墙规则

以下为测试过程中,在虚拟主机carol的filter表中加入的规则,规则的配置由swanctl.conf文件中指定的updown脚本完成(/usr/local/libexec/ipsec/_updown iptables)。在hook点INPUT上,允许UDP源和目的端口同时为500或者4500的报文,前者为IKE协议端口,后者为NAT-T使用的端口号,另外允许ESP和AH协议的报文通过,由于此测试使用ESP协议,以下AH规则的计数为空。在INPUT点上,源IP为10.1.0.0/16,目的IP为192.168.0.100的报文匹配入方向的IPSEC策略,reqid为1,协议号为50(ESP)。

在hook点OUTPUT上源IP为192.168.0.100,目的IP为10.1.0.0/16的报文匹配出方向的IPSEC策略,reqid为1,协议号为50(ESP)。

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  eth0   *       10.1.0.0/16          192.168.0.100        policy match dir in pol ipsec reqid 1 proto 50
    1   136 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    1   455 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:500
    2  1944 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500       

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  *      eth0    192.168.0.100        10.1.0.0/16          policy match dir out pol ipsec reqid 1 proto 50
    1   136 ACCEPT     esp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    1   422 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:500
    2  2008 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500

以下为在主机carol上使用ip -s xfrm policy显示的IPSec策略:

src 192.168.0.100/32 dst 10.1.0.0/16 uid 0
        dir out action allow index 433 priority 375423 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2019-10-28 06:39:38 use 2019-10-28 06:39:38
        tmpl src 192.168.0.100 dst 192.168.0.1
                proto esp spi 0xc96186f4(3378611956) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.0.0/16 dst 192.168.0.100/32 uid 0
        dir in action allow index 416 priority 375423 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2019-10-28 06:39:38 use 2019-10-28 06:39:38
        tmpl src 192.168.0.1 dst 192.168.0.100
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

虚拟主机dave的iptables配置与以上类似。但是网关moon上配置略有不同,其IPSEC策略配置在hook点FORWORD上。

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  eth0   *       192.168.0.200        10.1.0.0/16          policy match dir in pol ipsec reqid 2 proto 50
    1    84 ACCEPT     all  --  *      eth0    10.1.0.0/16          192.168.0.200        policy match dir out pol ipsec reqid 2 proto 50
    1    84 ACCEPT     all  --  eth0   *       192.168.0.100        10.1.0.0/16          policy match dir in pol ipsec reqid 1 proto 50
    1    84 ACCEPT     all  --  *      eth0    10.1.0.0/16          192.168.0.100        policy match dir out pol ipsec reqid 1 proto 50

收尾阶段

配置文件:strongswan-5.8.1/testing/tests/af-alg/rw-cert/posttest.dat,内容如下。其中第一行断开carol虚拟主机上名称为home的连接。第二行断开dave主机上名称为home的连接。第三、四、五行终止carol、dave和moon网关上的StrongSwan进程。最后三行恢复moon网关以及carol和dave主机上的iptables规则。

carol::swanctl --terminate --ike home
dave::swanctl --terminate --ike home
carol::systemctl stop strongswan
dave::systemctl stop strongswan
moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush

测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/下,其中文件console.log 记录了整个的测试过程。文件carol.daemon.log、dave.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

在这里插入图片描述

附件为tcpdump抓取到的报文。

ike-af-alg.pcap

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值