SWAN之botan/net2net-pkcs12测试

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试中网关sun与网关moon之间建立安全连接,连通两个子网,认证使用包含在PKCS12格式的文件中的X.509证书和RSA私钥。连接成功建立之后,在moon网关之后的主机alice上ping网关sun之后的bob主机,以验证连通性。

以下启动botan/net2net-pkcs12测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests botan/net2net-pkcs12
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191029-0605-58

[ ok ]  1 botan/net2net-pkcs12: pre..test..post

Passed : 1
Failed : 0

The results are available in /srv/strongswan-testing/testresults/20191029-0605-58
or via the link http://192.168.0.150/testresults/20191029-0605-58

Finished : 20191029-0606-06

以下为测试用例botan/net2net-pkcs12的测试结果记录文件。

$ ls /srv/strongswan-testing/testresults/20191029-0605-58/botan/net2net-pkcs12/
console.log      moon.ipsec.sql            moon.swanctl.conf   sun.daemon.log     sun.strongswan.conf      sun.swanctl.pools
index.html       moon.iptables             moon.swanctl.conns  sun.ip.policy      sun.swanctl.algs         sun.swanctl.sas
moon.auth.log    moon.iptables-save        moon.swanctl.pols   sun.ip.route       sun.swanctl.authorities  sun.swanctl.stats
moon.daemon.log  moon.strongswan.conf      moon.swanctl.pools  sun.ip.state       sun.swanctl.certs        sun.tcpdump.log
moon.ip.policy   moon.swanctl.algs         moon.swanctl.sas    sun.ipsec.sql      sun.swanctl.conf
moon.ip.route    moon.swanctl.authorities  moon.swanctl.stats  sun.iptables       sun.swanctl.conns
moon.ip.state    moon.swanctl.certs        sun.auth.log        sun.iptables-save  sun.swanctl.pols

以上测试结果文件记录了测试过程中虚拟网关sun以及网关moon的各种状态信息和运行日志。测试拓扑如下:

在这里插入图片描述

测试配置文件

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/test.conf,内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图,如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信,而不是ipsec命令。

VIRTHOSTS="alice moon winnetou sun bob"

# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"

# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"

# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"

# charon controlled by swanctl
#
SWANCTL=1

网关sun配置

连接配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf,内容如下。虚拟网关sun的IP地址为192.168.0.2,而远端moon网关的IP地址为192.168.0.1。

另外,此连接(名称gw-gw)使用的proposals指定为:aes128-sha256-modp3072。子连接net-net使用的esp_proposals指定为:aes128gcm128-modp3072。version等于2表明使用IKEv2版本。

secrets部分指定PKCS12格式的证书文件:sunCert.p12,其中包含有证书和秘钥,此证书由secret字段指定的密码保护。

connections {

   gw-gw {
      local_addrs  = 192.168.0.2
      remote_addrs = 192.168.0.1

      local {
         auth = pubkey
         id = sun.strongswan.org
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org
      }
      children {
         net-net {
            local_ts  = 10.2.0.0/16
            remote_ts = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-modp3072
         }
      }
      version = 2
      mobike = no
      proposals = aes128-sha256-modp3072
   }
}

secrets {

   pkcs12-sun {
      file = sunCert.p12
      secret = "IxjQVCF3JGI+MoPi"
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf ,内容如下,指定需要加载的模块。注意这里的botan模块为本次需要测试的功能模块。

# /etc/strongswan.conf - strongSwan configuration file

charon {
  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
  multiple_authentication = no
}

由于默认的证书文件使用PEM格式,在此次测试中不能使用,所以提供了如下的PKCS12证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/
 sunCert.p12

如下为证书sunCert.p12的部分内容,使用openssl命令显示时提示Import密码,需要输入以上swanctl.conf文件中定义的密码。此p12证书由三个部分组成:2个证书包和一个私钥。其中第一个证书包为CA签发给sun主机的证书;第二个证书包为根证书。

strongswan-5.8.1/testing/tests/botan/net2net-pkcs12$ openssl pkcs12 -in hosts/sun/etc/swanctl/pkcs12/sunCert.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: sun
    localKeyID: BC E2 76 C8 87 E4 15 46 CA 94 4E 44 28 8F 64 DC 29 01 2C 95 
subject=C = CH, O = strongSwan Project, CN = sun.strongswan.org

issuer=C = CH, O = strongSwan Project, CN = strongSwan Root CA

-----BEGIN CERTIFICATE-----
MIIEhjCCAu6gAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb
...
g3abN2hCuoXcDw==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: strongSwan Root CA
subject=C = CH, O = strongSwan Project, CN = strongSwan Root CA

issuer=C = CH, O = strongSwan Project, CN = strongSwan Root CA

-----BEGIN CERTIFICATE-----
MIIEVTCCAr2gAwIBAgIIHfCCbsYXyOIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
...
Y6HfnUnG7HND
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: sun
    localKeyID: BC E2 76 C8 87 E4 15 46 CA 94 4E 44 28 8F 64 DC 29 01 2C 95 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIHXDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQInIZn6oIFPasCAggA
...
82Sf+yuqO/huWw4ixlR8sg==
-----END ENCRYPTED PRIVATE KEY-----

moon网关配置

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf,内容如下。连接gw-gw的proposals使用:aes128-sha256-modp3072,子连net-net的esp_proposals使用:aes128gcm128-modp3072。IKE使用IKEv2版。

gw-gw连接的本地IP地址为:192.168.0.1,对端的IP地址为:192.168.0.2,即sun网关的IP地址。

secrets部分指定PKCS12格式的证书文件:moonCert.p12,其中包含有证书和秘钥,此证书由secret字段指定的密码保护。

connections {

   gw-gw {
      local_addrs  = 192.168.0.1
      remote_addrs = 192.168.0.2

      local {
         auth = pubkey
         id = moon.strongswan.org
      }
      remote {
         auth = pubkey
         id = sun.strongswan.org
      }
      children {
         net-net {
            local_ts  = 10.1.0.0/16
            remote_ts = 10.2.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-modp3072
         }
      }
      version = 2
      mobike = no
      proposals = aes128-sha256-modp3072
   }
}

secrets {

   pkcs12-moon {
      file = moonCert.p12
      secret = "kUqd8O7mzbjXNJKQ"
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。这里指定加载botan模块,其正是我们要测试的模块。

# /etc/strongswan.conf - strongSwan configuration file

charon {
  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
  multiple_authentication = no
}

由于默认的证书文件使用PEM格式,在此次测试中不能使用,所以提供了如下的证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/
 moonCert.p12 

如下为证书moonCert.p12的部分内容,使用openssl命令显示时提示Import密码,需要输入以上swanctl.conf文件中定义的密码。此p12证书由三个部分组成:2个证书包和一个私钥。其中第一个证书包为CA签发给moon主机的证书(CN = moon.strongswan.org);第二个证书包为根证书(CN = strongSwan Root CA)。

strongswan-5.8.1/testing/tests/botan/net2net-pkcs12$ openssl pkcs12 -in hosts/moon/etc/swanctl/pkcs12/moonCert.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: moon
    localKeyID: 34 46 34 B9 5A A6 28 33 B2 C1 EC FE 29 09 ED 36 78 5D 10 EA 
subject=C = CH, O = strongSwan Project, CN = moon.strongswan.org

issuer=C = CH, O = strongSwan Project, CN = strongSwan Root CA

-----BEGIN CERTIFICATE-----
MIIEiDCCAvCgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDSDEb
...
cbvYQ0LdGFckRIK1
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: strongSwan Root CA
subject=C = CH, O = strongSwan Project, CN = strongSwan Root CA

issuer=C = CH, O = strongSwan Project, CN = strongSwan Root CA

-----BEGIN CERTIFICATE-----
MIIEVTCCAr2gAwIBAgIIHfCCbsYXyOIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
...
Y6HfnUnG7HND
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: moon
    localKeyID: 34 46 34 B9 5A A6 28 33 B2 C1 EC FE 29 09 ED 36 78 5D 10 EA 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIHXDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQILqHYzwhGnWECAggA
...
uYyOMQoeY77LeaxEWMpBrw==
-----END ENCRYPTED PRIVATE KEY-----

准备阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/pretest.dat,内容如下。在预测试pre-test阶段,首先删除moon和sun系统中默认的PEM格式的证书和密钥文件,接着备份moon和sun主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为gw-gw的连接是否建立,超过5秒钟检测不到,打印失败信息。swanctl在moon网关上初始化一个名称为net-net的子连接。

通过之前的介绍已经在sun和moon网关的各自配置文件(/etc/swanctl/swanctl.conf)中看到了gw-gw和net-net连接的配置信息。

  moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
  sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
  moon::iptables-restore < /etc/iptables.rules
  sun::iptables-restore < /etc/iptables.rules
  moon::systemctl start strongswan
  sun::systemctl start strongswan
  moon::expect-connection gw-gw
  sun::expect-connection gw-gw
  moon::swanctl --initiate --child net-net 2> /dev/null

测试阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/evaltest.dat,内容如下。在第一行测试语句中,在alice主机上ping主机bob的地址:PH_IP_BOB,并检查ping返回信息。

alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

第二行测试语句登录到moon网关中,使用命令swanctl --list-sas --raw显示安全关联SA的信息,在其中匹配随后的模式pattern字段,可见与以上hosts/moon/etc/swanctl/swanctl.conf中的配置相符。以下为swanctl的输出信息。

  gw-gw: #1, ESTABLISHED, IKEv2, 03176e9bd33240b6_i* 4d7c1f300c747012_r
    local  'moon.strongswan.org' @ 192.168.0.1[500]
    remote 'sun.strongswan.org' @ 192.168.0.2[500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
    established 1s ago, rekeying in 13999s
    net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
      installed 1s ago, rekeying in 3286s, expires in 3959s
      in  c33b9296,     84 bytes,     1 packets,     1s ago
      out ca1517a2,     84 bytes,     1 packets,     1s ago
      local  10.1.0.0/16
      remote 10.2.0.0/16

第三行测试语句与第二行类似,此处登录的sun网关上执行swanctl --list-sas --raw命令检查输出结果,进行匹配操作。以下为sun虚拟网关上执行swanctl命令的输出:

  gw-gw: #1, ESTABLISHED, IKEv2, 03176e9bd33240b6_i 4d7c1f300c747012_r*
    local  'sun.strongswan.org' @ 192.168.0.2[500]
    remote 'moon.strongswan.org' @ 192.168.0.1[500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
    established 3s ago, rekeying in 13271s
    net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
      installed 3s ago, rekeying in 3529s, expires in 3957s
      in  ca1517a2,     84 bytes,     1 packets,     2s ago
      out c33b9296,     84 bytes,     1 packets,     2s ago
      local  10.2.0.0/16
      remote 10.1.0.0/16

最后两行都在sun网关上执行,这里的tcpdump命令并不执行,而是检查在以上的测试过程中后台tcpdump命令输出到文件/tmp/tcpdump.log中的日志信息,确认sun与moon之间的ESP加密的ping报文是否正常。

  06:06:05.059470 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xca1517a2,seq=0x1), length 120
  06:06:05.059561 IP alice.strongswan.org > bob.strongswan.org: ICMP echo request, id 4996, seq 1, length 64
  06:06:05.064523 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xc33b9296,seq=0x1), length 120

以下为sun网关上的日志文件/var/log/daemon.log的部分内容,可见其中加载的PKCS12格式的证书文件sunCert.p12,由其加载了sun的客户证书,以及CA根证书和RSA私钥。

Oct 29 06:06:04 sun charon-systemd: 13[CFG] loaded certificate 'C=CH, O=strongSwan Project, CN=strongSwan Root CA'
Oct 29 06:06:04 sun swanctl[4963]:   C=CH, O=strongSwan Project, CN=strongSwan Root CA
Oct 29 06:06:04 sun charon-systemd: 13[CFG] loaded certificate 'C=CH, O=strongSwan Project, CN=sun.strongswan.org'
Oct 29 06:06:04 sun swanctl[4963]:   C=CH, O=strongSwan Project, CN=sun.strongswan.org
Oct 29 06:06:04 sun charon-systemd: 13[CFG] loaded RSA private key
Oct 29 06:06:04 sun charon-systemd: 13[CFG] added vici connection: gw-gw
Oct 29 06:06:04 sun swanctl[4963]: loaded certificate from '/etc/swanctl/pkcs12/sunCert.p12'
Oct 29 06:06:04 sun swanctl[4963]: loaded certificate from '/etc/swanctl/pkcs12/sunCert.p12'
Oct 29 06:06:04 sun swanctl[4963]: loaded rsa key from '/etc/swanctl/pkcs12/sunCert.p12'
Oct 29 06:06:04 sun swanctl[4963]: loaded connection 'gw-gw'
Oct 29 06:06:04 sun swanctl[4963]: successfully loaded 1 connections, 0 unloaded

Oct 29 06:06:04 sun charon-systemd: 11[CFG] selected peer config 'gw-gw'
Oct 29 06:06:04 sun charon-systemd: 11[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
Oct 29 06:06:04 sun charon-systemd: 11[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
Oct 29 06:06:04 sun charon-systemd: 11[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
Oct 29 06:06:04 sun charon-systemd: 11[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
Oct 29 06:06:04 sun charon-systemd: 11[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 29 06:06:04 sun charon-systemd: 11[IKE] authentication of 'sun.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
防火墙规则

以下为测试过程中,在虚拟网关sun的filter表中加入的规则(省略了OUTPUT hook点),规则的配置由swanctl.conf文件中指定的updown脚本完成(/usr/local/libexec/ipsec/_updown iptables)。在hook点INPUT上,允许UDP源和目的端口同时为500或者4500的报文,前者为IKE协议端口,后者为NAT-T使用的端口号,另外允许ESP和AH协议的报文通过,由于此测试使用ESP协议,以下AH规则的计数为空。

在FORWARD点上,源IP为10.1.0.0/16,目的IP为10.2.0.0/16的报文匹配入方向(in)的IPSEC策略,reqid为1,协议号为50(ESP)。源IP地址为10.2.0.0/16目的IP为10.1.0.0/16之间的报文分别匹配出方向(out)的IPSEC策略,reqid为1,协议号为50(ESP)。

  Chain INPUT (policy DROP 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
      1   140 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
      0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0
      3  2588 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:500
      0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500
    132 14748 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
      1    40 ACCEPT     tcp  --  eth0   *       192.168.0.150        0.0.0.0/0            tcp spt:80
  
  Chain FORWARD (policy DROP 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
      1    84 ACCEPT     all  --  eth0   *       10.1.0.0/16          10.2.0.0/16          policy match dir in pol ipsec reqid 1 proto 50
      1    84 ACCEPT     all  --  *      eth0    10.2.0.0/16          10.1.0.0/16          policy match dir out pol ipsec reqid 1 proto 50

收尾阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-pkcs12/posttest.dat,内容如下。其中第一行终止moon和sun网关上的StrongSwan进程。第二、三行恢复moon和sun网关上的iptables规则。最后两行删除moon和sun网关上本次测试使用的PKCS12格式的证书文件。

  moon::systemctl stop strongswan
  sun::systemctl stop strongswan
  moon::iptables-restore < /etc/iptables.flush
  sun::iptables-restore < /etc/iptables.flush
  moon::rm /etc/swanctl/pkcs12/moonCert.p12
  sun::rm /etc/swanctl/pkcs12/sunCert.p12

测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191029-0605-58/botan/net2net-pkcs12/下,其中文件console.log 记录了整个的测试过程。文件sun.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

在这里插入图片描述

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值