SWAN之ikev2/acert-fallback测试

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试中远程用户(roadwarrior)carol与网关moon建立连接。认证方式基于X.509证书,为了对远程用户进行授权,moon网关期望用户在IKEv2报文的CERT载荷中带有属性证书。carol主机具有组分别为sales和finance的两个证书,其中finance组的属性证书已经过期,已无效;所以,carol仅获得sales组的访问权限。

以下启动ikev2/acert-fallback测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests ikev2/acert-fallback
 
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191030-1120-27

[ ok ]  1 ikev2/acert-fallback: pre..test..post

Passed : 1
Failed : 0

The results are available in /srv/strongswan-testing/testresults/20191030-1120-27
or via the link http://192.168.0.150/testresults/20191030-1120-27

Finished : 220191030-1120-33

由以上显示可知测试用例ikev2/acert-fallback的测试结果记录文件保存在目录:/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback/中,这些文件记录了测试过程中虚拟主机carol和网关moon的各种状态信息和运行日志。测试拓扑如下:

在这里插入图片描述

carol配置

连接配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf,内容如下。虚拟主机carol的IP地址为192.168.0.100,而moon网关的IP地址为192.168.0.1。

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn home
        left=PH_IP_CAROL
        leftcert=carolCert.pem
        leftid=carol@strongswan.org
        leftfirewall=yes
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightsubnet=10.1.0.0/16
        keyexchange=ikev2
        auto=add

StrongSwan配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf,内容如下,指定需要加载的模块。

charon {
  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}

另外,在本次测试中,还为carol主机提供了两个属性证书:carol-finance-expired.pem和carol-sales.pem。以下为前者的信息,可见其groups字段为finance,但是有效期已经过期。

$ cd strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/
$
$ pki --print --type ac --in carol-finance-expired.pem   
  subject:  "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
  issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
  validity:  not before Sep 14 08:37:52 2019, ok
             not after  Sep 15 08:37:52 2019, expired (45 days ago)
  serial:    65:cb:97:37:1d:53:3f:49
  hissuer:  "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  hserial:   01
  groups:    finance
  authkey:  46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

以下为属性证书carol-sales.pem的信息,其groups字段为sales,并且在有效期内。

$ pki --print --type ac --in carol-sales.pem 
  subject:  "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
  issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
  validity:  not before Sep 15 08:37:52 2019, ok
             not after  Sep 14 08:37:52 2027, ok (expires in 2875 days)
  serial:    33:bd:8a:19:d5:43:94:d3
  hissuer:  "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  hserial:   01
  groups:    sales
  authkey:  46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

moon网关配置

配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf,内容如下。其中配置了两个连接:finance和sales,其中前者要求组为finance,可访问10.1.0.10/32网段,仅一个主机alice。后者,要求组为sales,可访问10.1.0.20/32网段,仅一个主机venus。

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn finance
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftsubnet=10.1.0.10/32
        leftfirewall=yes
        right=%any
        rightid=*@strongswan.org
        rightgroups=finance
        keyexchange=ikev2
        auto=add

conn sales
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftsubnet=10.1.0.20/32
        leftfirewall=yes
        right=%any
        rightgroups=sales
        keyexchange=ikev2
        auto=add

moon网关使用的证书如下:

$ ls strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ -R   
 ipsec.d/aacerts/aaCert.pem
 ipsec.d/private/aaKey.pem

以下为moon网关的证书,其颁发者为:strongSwan Root CA,而本身的CN为:strongSwan Attribute Authority。

$ pki --print --type x509 --in strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem   
  subject:  "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
  issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  validity:  not before Sep 14 08:37:52 2019, ok
             not after  Sep 14 08:37:52 2028, ok (expires in 3241 days)
  serial:    17
  flags:     
  CRL URIs:  http://crl.strongswan.org/strongswan.crl
  authkeyId: 7e:a0:7b:77:a5:91:58:79:df:35:eb:4e:fc:0f:b6:b8:68:ae:a2:47
  subjkeyId: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71
  pubkey:    RSA 3072 bits
  keyid:     b4:5c:07:1b:d6:cf:dc:68:7c:c9:2a:5d:ca:5d:47:ce:3f:27:9f:b1
  subjkey:   46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

StrongSwan配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。

charon {
  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}

准备阶段

配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/pretest.dat,内容如下。在预测试pre-test阶段,备份moon网关以及carol主机的iptables规则配置。启动strongswan。使用脚本expect-connection在moon网关和carol主机上检测名称为:finance,sales和home的连接是否建立。在carol主机上启动home子连接。

通过之前的介绍已经在carol主机以及moon网关的配置文件(etc/ipsec.conf)中看到了home和finance,sales连接的配置信息。

moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
moon::expect-connection finance
moon::expect-connection sales
carol::expect-connection home
carol::ipsec up home

测试阶段

配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/evaltest.dat,内容如下。首先在carol主机检查到moon网关的连接状态,以及在moon网关上检测dave和carol的连接状态,前者应检查不到,后者carol的连接状态应为ESTABLISHED。其次,在moon网关上检测strongswan进程的日志信息,确认finance组验证失败。

carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES

以下测试语句,在carol主机上ping主机alice和venus的IP地址,前者应没有响应;后者应能够收到回复。最后两行测试语句在moon网关检查tcpdump日志,确认ESP加密的ping报文。

carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES

收尾阶段

配置文件:strongswan-5.8.1/testing/tests/ikev2/acert-fallback/posttest.dat,内容如下。停止carol主机和moon网关上的strongswan进程。恢复moon网关和carol主机上的iptables规则配置。最后删除测试中使用到的证书相关文件。

moon::ipsec stop
carol::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
carol::rm /etc/ipsec.d/acerts/carol-sales.pem
carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
moon::rm /etc/ipsec.d/private/aaKey.pem
moon::rm /etc/ipsec.d/aacerts/aaCert.pem

测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback下,其中文件console.log 记录了整个的测试过程。文件carol.daemon.log和moon.daemon.log记录了charon-systemd主进程的日志。以下为moon主机的日志信息,可见carol的sales证书由于组与finance连接不匹配,转向使用sales连接:

 moon charon: 14[IKE] received attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
 moon charon: 14[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]
 moon charon: 14[CFG] selected peer config 'finance'
 moon charon: 14[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
 moon charon: 14[CFG] verifying attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"
 moon charon: 14[CFG] constraint check failed: group membership to 'finance' required
 moon charon: 14[CFG] selected peer config 'finance' unacceptable: non-matching authentication done
 moon charon: 14[CFG] switching to peer config 'sales'

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值