SWAN之botan/rw-ecp256测试

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试中远程用户(roadwarrior)carol和网关moon使用strongswan的插件botan进行所有的加密相关计算,另外远程用户dave使用strongswan的openssl插件进行相应操作。远程用户carol和dave分别建立到网关moon的连接,认证基于X.509证书,秘钥交换基于ecp256算法。连接成功建立之后,网关moon之后的虚拟主机alice分别ping主机carol和dave,以验证连通性。

以下启动botan/rw-ecp256测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests botan/rw-ecp256
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191029-1032-10

[ ok ]  1 botan/rw-ecp256: pre..test..post

Passed : 1
Failed : 0

The results are available in /srv/strongswan-testing/testresults/20191029-1032-10
or via the link http://192.168.0.150/testresults/20191029-1032-10

Finished : 20191029-1032-17

由以上显示可知测试用例botan/rw-ecp256的测试结果记录文件保存在目录:/srv/strongswan-testing/testresults/20191029-1032-10/botan/rw-ecp256/中,这些文件记录了测试过程中虚拟主机carol和dave,以及网关moon的各种状态信息和运行日志。测试拓扑如下:

在这里插入图片描述

测试配置文件

配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/test.conf,内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图,如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信,而不是ipsec命令。

VIRTHOSTS="alice moon carol winnetou dave"

# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"

# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"

# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"

# charon controlled by swanctl
#
SWANCTL=1

carol配置

连接配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/carol/etc/swanctl/swanctl.conf,内容如下。虚拟主机carol的IP地址为192.168.0.100,而moon网关的IP地址为192.168.0.1。

另外,home连接使用的proposals为:aes128-sha256-ecp256(秘钥交换采用ecp256),子连接home使用的esp_proposals为:aes128gcm128-ecp256。version等于2表明使用IKEv2版本。

secrets部分指定PEM格式的RSA私钥文件:carolKey.pem。

connections {

   home {
      local_addrs  = 192.168.0.100
      remote_addrs = 192.168.0.1

      local {
         auth = pubkey
         certs = carolCert.pem
         id = carol@strongswan.org
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org
      }
      children {
         home {
            remote_ts = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-ecp256
         }
      }
      version = 2
      proposals = aes128-sha256-ecp256
   }
}

secrets {

   rsa-carol {
      file = carolKey.pem
      secret = "nH5ZQEWtku0RJEZ6"
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/carol/etc/strongswan.conf,内容如下,指定需要加载的模块。注意这里的botan模块为本测试中测试模块。rsa_pss字段表明RSA私钥签名过程中使用PSS(Probabilistic Signature Scheme)填充模式。

swanctl {
  load = botan pem x509 revocation constraints pubkey
}

charon-systemd {
  load = nonce botan pem x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici

  rsa_pss = yes
}

carol的证书相关文件保存在如下的全局默认目录。

$ ls -R strongswan-5.8.1/testing/hosts/carol/ 

etc/swanctl/rsa/carolKey.pem
etc/swanctl/x509/carolCert.pem
etc/swanctl/x509ca/strongswanCert.pem

dave主机配置

连接配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/dave/etc/swanctl/swanctl.conf,内容如下。虚拟主机dave的IP地址为192.168.0.200,而moon网关的IP地址为192.168.0.1。

另外,home连接使用的proposals为:aes128-sha256-ecp256;子连接home使用的esp_proposals为aes128gcm128-ecp256。version等于2表明使用IKEv2版本。

connections {

   home {
      local_addrs  = 192.168.0.200
      remote_addrs = 192.168.0.1

      local {
         auth = pubkey
         certs = daveCert.pem
         id = dave@strongswan.org
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org
      }
      children {
         home {
            remote_ts = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-ecp256
         }
      }
      version = 2
      proposals = aes128-sha256-ecp256
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/dave/etc/strongswan.conf,内容如下,指定需要加载的模块。注意与carol主机不同,这里没有加载botan模块,而是使用strongswan插件openssl等。rsa_pss字段表明RSA私钥签名过程中使用PSS(Probabilistic Signature Scheme)填充模式。

swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}

charon-systemd {
  load = nonce openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici

  rsa_pss = yes
}

dave的证书相关文件保存在如下的全局默认目录。

$ ls -R strongswan-5.8.1/testing/hosts/dave/ 

hosts/dave/etc/swanctl/rsa/daveKey.pem
hosts/dave/etc/swanctl/x509/daveCert.pem
hosts/dave/etc/swanctl/x509ca/strongswanCert.pem

moon网关配置

配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/moon/etc/swanctl/swanctl.conf,内容如下。rw(roadwarrior)连接的proposals设置为:aes128-sha256-ecp256;子连接net的esp_proposals设置为:aes128gcm128-ecp256。IKE使用IKEv2版。

作为网关,其事先并不知晓连接对端的IP地址信息,此处只有local_addrs的配置。

connections {

   rw {
      local_addrs  = 192.168.0.1

      local {
         auth = pubkey
         certs = moonCert.pem
         id = moon.strongswan.org
      }
      remote {
         auth = pubkey
      }
      children {
         net {
            local_ts  = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-ecp256
         }
      }
      version = 2
      proposals = aes128-sha256-ecp256
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。与虚拟主机carol相同,moon网关使用botan模块执行加解密相关操作。rsa_pss字段表明RSA私钥签名过程中使用PSS(Probabilistic Signature Scheme)填充模式。

swanctl {
  load = pem botan x509 revocation constraints pubkey
}

charon-systemd {
  load = nonce test-vectors botan pem x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici

  rsa_pss = yes
}

moon的证书相关文件保存在如下的全局默认目录。

$ ls -R strongswan-5.8.1/testing/hosts/moon/ 

etc/swanctl/rsa/moonKey.pem
etc/swanctl/x509/moonCert.pem
etc/swanctl/x509ca/strongswanCert.pem

准备阶段

配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/pretest.dat,内容如下。在预测试pre-test阶段,备份moon、carol和dave主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为net的连接(carol和dave主机上为home连接)是否建立,超过5秒钟检测不到,打印失败信息。swanctl在carol和dave主机上分别初始化一个名称为home的子连接。

通过之前的介绍已经在carol和dave主机,以及moon网关的各自配置文件(etc/swanctl/swanctl.conf)中已经看到了home和net连接的配置信息。

moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null

测试阶段

测试配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/evaltest.dat,内容如下。在第一行测试语句中,SSH登录到carol主机执行swanctl --list-sas --raw命令,检查连接建立情况。

carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES

在carol主机上执行命令swanctl --list-sas --raw的输出如下所示,可见与测试语句中的内存匹配,秘钥交换采用的为ECP_256。

   home: #1, ESTABLISHED, IKEv2, 5249f3f2ca0905dc_i* b4534a4d88a5bf4c_r
     local  'carol@strongswan.org' @ 192.168.0.100[4500]
     remote 'moon.strongswan.org' @ 192.168.0.1[4500]
     AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
     established 2s ago, rekeying in 13839s
     home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
       installed 2s ago, rekeying in 3388s, expires in 3958s
       in  c4bc47be,     84 bytes,     1 packets,     1s ago
       out c42f60a5,     84 bytes,     1 packets,     1s ago
       local  192.168.0.100/32
       remote 10.1.0.0/16

第二行测试语句在dave主机上执行命令 swanctl --list-sas --raw,检查输出结果是否与指定内容匹配。以下为swanctl的执行结构,可见两者完全匹配。

  home: #1, ESTABLISHED, IKEv2, 09e2516cd9f414b5_i* 21f4be4821cfde8c_r
    local  'dave@strongswan.org' @ 192.168.0.200[4500]
    remote 'moon.strongswan.org' @ 192.168.0.1[4500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    established 2s ago, rekeying in 13164s
    home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
      installed 2s ago, rekeying in 3444s, expires in 3958s
      in  cf667498,     84 bytes,     1 packets,     2s ago
      out cd26bb7a,     84 bytes,     1 packets,     2s ago
      local  192.168.0.200/32
      remote 10.1.0.0/16

第三行测试语句在moon网关上执行命令 swanctl --list-sas --ike-id 1 --raw,这里指定了ike-id参数为1,由于在测试过程中,carol主机首先发起了连接请求,此处匹配的为carol的连接。检查输出结果是否与指定内容匹配。以下为swanctl的执行结构,可见两者完全匹配。

  rw: #1, ESTABLISHED, IKEv2, 5249f3f2ca0905dc_i b4534a4d88a5bf4c_r*
    local  'moon.strongswan.org' @ 192.168.0.1[4500]
    remote 'carol@strongswan.org' @ 192.168.0.100[4500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    established 1s ago, rekeying in 14238s
    net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
      installed 1s ago, rekeying in 3408s, expires in 3959s
      in  c42f60a5,     84 bytes,     1 packets,     0s ago
      out c4bc47be,     84 bytes,     1 packets,     0s ago
      local  10.1.0.0/16
      remote 192.168.0.100/32

第四行测试语句在moon网关上执行命令 swanctl --list-sas --ike-id 2 --raw,这里指定了ike-id参数为2,由于在测试过程中,dave主机在carol之后发起连接请求,此处匹配的为dave的连接。检查输出结果是否与指定内容匹配。以下为swanctl的执行结构,可见两者完全匹配。

  rw: #2, ESTABLISHED, IKEv2, 09e2516cd9f414b5_i 21f4be4821cfde8c_r*
    local  'moon.strongswan.org' @ 192.168.0.1[4500]
    remote 'dave@strongswan.org' @ 192.168.0.200[4500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    established 0s ago, rekeying in 13557s
    net: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
      installed 0s ago, rekeying in 3250s, expires in 3960s
      in  cd26bb7a,     84 bytes,     1 packets,     0s ago
      out cf667498,     84 bytes,     1 packets,     0s ago
      local  10.1.0.0/16
      remote 192.168.0.200/32

第五行和第六行测试语句,都在moon网关之后的alice主机上执行,分别ping主机carol和dave的IP地址,并检查返回信息。最后4行测试语句都是在moon网关上执行的,这里的tcpdump命令并不执行,而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息,确认carol与alice,以及dave和alice之间的ESP加密的ping报文是否正常。

  10:32:21.486656 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc4bc47be,seq=0x1), length 120
  10:32:21.486941 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc42f60a5,seq=0x1), length 120
  10:32:21.486980 IP carol.strongswan.org > alice.strongswan.org: ICMP echo reply, id 5206, seq 1, length 64
  10:32:21.517338 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xcf667498,seq=0x1), length 120
  10:32:21.522550 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xcd26bb7a,seq=0x1), length 120
  10:32:21.522592 IP dave.strongswan.org > alice.strongswan.org: ICMP echo reply, id 5207, seq 1, length 64

收尾阶段

配置文件:strongswan-5.8.1/testing/tests/botan/rw-ecp256/posttest.dat,内容如下。其中第一行断开carol虚拟主机上名称为home的连接。第二行断开dave主机上名称为home的连接。第三、四、五行终止carol、dave和moon网关上的StrongSwan进程。最后三行恢复moon网关以及carol和dave主机上的iptables规则。

carol::swanctl --terminate --ike home
dave::swanctl --terminate --ike home
carol::systemctl stop strongswan
dave::systemctl stop strongswan
moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush

测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191029-1032-10/botan/rw-ecp256/下,其中文件console.log 记录了整个的测试过程。文件carol.daemon.log、dave.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

在这里插入图片描述

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值