SWAN之ikev2协议multi-level-ca-cr-resp配置测试

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试主要验证多级CA证书验证的功能,远程用户carol,dave与网关moon建立连接时,carol和dave使用中间CA证书以及中间CA所签发的实体证书,moon主机使用CA根证书。在认证过程中,carol和dave在IKE_AUTH请求消息中将中间CA证书发送给moon主机。本次测试拓扑如下:
在这里插入图片描述

carol主机配置

carol的配置文件:ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的证书由名称CN为:"strongSwan Root CA"的CA签发。

conn %default
        keyexchange=ikev2
        left=PH_IP_CAROL
        leftcert=carolCert.pem
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

conn alice
        rightsubnet=PH_IP_ALICE/32
        auto=add

carol主机的CA证书文件researchCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem -noout -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = Research CA

carol主机的证书文件carolCert.pem内容如下,其有以上名称为"Research CA"的证书(researchCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem -noout -text                  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Research, CN = Research CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = carol@strongswan.org

dave主机配置

dave的配置文件:ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的证书由名称CN为:"strongSwan Root CA"的CA证书签发。

conn %default
        keyexchange=ikev2
        left=PH_IP_DAVE
        leftcert=daveCert.pem
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

conn venus
        rightsubnet=PH_IP_VENUS/32
        auto=add

dave的CA证书文件salesCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA

dave主机的证书文件daveCert.pem内容如下,其有以上名称为"Sales CA"的证书(salesCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = dave@strongswan.org

网关配置

moon网关的配置文件:ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf,内容如下。ca段指定了moon主机使用的CA证书,以及CRL证书的地址。

另外,分别定义了两个连接。名称为alice的连接配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。

连接venus配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。由以上carol和dave主机的配置可知,两个主机的证书都满足要求,这里以rightid来区分两个远程用户连接。

moon主机没有中间CA证书:“Research CA"和"Sales CA”。

ca strongswan
        cacert=strongswanCert.pem
        crluri=http://crl.strongswan.org/strongswan.crl
        auto=add

conn %default
        keyexchange=ikev2
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftsendcert=ifasked
        leftid=@moon.strongswan.org

conn alice
        leftsubnet=PH_IP_ALICE/32
        right=%any
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

conn venus
        leftsubnet=PH_IP_VENUS/32
        right=%any
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

测试准备阶段

配置文件:ikev2/multi-level-ca-cr-resp/pretest.dat,内容为通常的ipsec连接的启动语句。

测试阶段

配置文件:ikev2/multi-level-ca-cr-resp/evaltest.dat内容如下。在carol和dave主机的strongswan日志文件中,确认向对端(moon)发送中间证书的信息。在moon主机的strongswan日志中确认证书验证过程。

carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES

以下carol网关上strongswan进程的日志信息,在IKE_AUTH请求报文中,发送两个证书请求,一个是名称CN为:“strongSwan Root CA"的证书请求;另一个是CN为"Research CA"的证书请求。另外,发送本地的实体证书,CN为"arol@strongswan.org”,以及CN为"Research CA"的中间CA证书。

carol charon: 12[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (273 bytes)
carol charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
carol charon: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
carol charon: 12[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 12[IKE] sending cert request for "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 12[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 12[IKE] authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
carol charon: 12[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
carol charon: 12[IKE] sending issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 12[IKE] establishing CHILD_SA alice{1}
carol charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

如下图所示,carol的IKE_AUTH请求报文中包含两个CERT证书载荷。

在这里插入图片描述

以下为moon主机上strongswan进程日志中与carol相关的信息。moon网关在接收到的IKE_AUTH响应报文中,首先发现对CN为"strongSwan Root CA"证书的请求;之后又发现证书请求中包含不识别的CA,即carol发送的CA名称为"Research CA"的证书请求。

接下来,moon发现除了接收到carol的实体证书外,还接收到了中间CA证书,其CN为"Research CA"。

moon charon: 16[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1236 bytes)
moon charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
moon charon: 05[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[IKE] received 1 cert requests for an unknown ca
moon charon: 05[IKE] received end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[IKE] received issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org]

以上信息匹配到moon的配置的连接alice,虽然接收到的"Research CA"证书不可信,但是仍然使用它验证获取到的research.crl证书,再有此CRL证书验证carol证书的有效性。最后,获取strongswan.crl证书,由根证书"strongSwan Root CA"验证其有效性,在由此CRL证书验证中间CA证书"Research CA"的有效性。

moon charon: 05[CFG] selected peer config 'alice'
moon charon: 05[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[CFG]   using untrusted intermediate certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 05[CFG]   fetching crl from 'http://crl.strongswan.org/research.crl' ...
moon charon: 05[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   reached self-signed root ca with a path length of 0
moon charon: 05[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 05[CFG] certificate status is good
moon charon: 05[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 05[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
moon charon: 05[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 05[CFG] certificate status is good
moon charon: 05[CFG]   reached self-signed root ca with a path length of 1
moon charon: 05[IKE] authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful

strongswan测试版本: 5.8.1

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值