XAUTH认证

以下根据strongswan代码中的testing/tests/swanctl/xauth-rsa/中的测试环境,来看XAuth的配置和认证流程。扩展认证XAUTH在RSA公开秘钥签名认证(pubkey)之后进行。拓扑结构如下:

在这里插入图片描述

拓扑图中使用到的设备包括:虚拟主机carol和dave,以及虚拟网关moon。

虚拟主机配置

carol的配置文件:/etc/swanctl/swanctl.conf,内容如下。其中home连接中的local-xauth段开启了xauth,ID指定为carol。

另外,在secrets段中的子段xauth-carol中指定了ID为carol的用户,及其秘钥:“4iChxLT3”。

connections {

   home {
      local_addrs  = 192.168.0.100
      remote_addrs = 192.168.0.1 

      local {
         auth = pubkey
         certs = carolCert.pem
         id = carol@strongswan.org
      }
      local-xauth {
         auth = xauth
         xauth_id = carol
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org 
      }
      children {
         home {
            remote_ts = 10.1.0.0/16 

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-modp3072
         }
      }
      version = 1 
      proposals = aes128-sha256-modp3072
   }
}

secrets {

   xauth-carol {
      id = carol
      secret = "4iChxLT3" 
   }
}

carol的配置文件:/etc/strongswan.conf,内容如下。这里需要加载本次测试要用到的xauth-generic插件。

charon-systemd {
  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
}

dave主机的配置与carol基本相同,区别在于dave的xauth认证的ID为:dave,密码为:“ryftzG4A”。

网关配置

moon网关的配置文件:/etc/swanctl/swanctl.conf,内容如下。在secrets段中配置了两个xauth用户,其中xauth-carol指定用户ID为:carol,秘钥为:“4iChxLT3”;xauth-dave指定了用户ID:dave,秘钥为:“ryftzG4A”。与以上carol和dave主机上的用户秘钥配置相同。

connections {

   rw {
      local_addrs  = 192.168.0.1

      local {
         auth = pubkey
         certs = moonCert.pem
         id = moon.strongswan.org
      }
      remote {
         auth = pubkey
      }
      remote-xauth {
         auth = xauth
      }
      children {
         net {
            local_ts  = 10.1.0.0/16

            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128gcm128-modp3072
         }
      }
      version = 1
      proposals = aes128-sha256-modp3072
   }
}

secrets {

   xauth-carol {
      id = carol
      secret = "4iChxLT3"
   }
   xauth-dave {
      id = dave
      secret = "ryftzG4A"
   }
}

连接建立流程

操作流程如下,首先在两个虚拟主机carol和dave上,以及网关moon上启动strongswan进程。再者,在carol和dave上创建名称为home的子连接。

moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null

接下来,查看以下moon网关上strongswan进程的日志。以carol主机(192.168.0.100)为例,首先在接收到的carol主机的第一个主模式(main)报文中,解析到了XAuth的厂商ID信息。之后在连接建立后,moon在配置模式(TRANSACTION请求)报文中请求XAuth的用户名(X_USER)和密码(X_PWD);carol主机在回复的(TRANSACTION response)报文中,以明文形式返回用户和密码,moon进行验证,并向carol返回验证结果(X_STATUS);最后carol确认验证结果。

moon charon-systemd: 13[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (180 bytes)
moon charon-systemd: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
moon charon-systemd: 13[IKE] received XAuth vendor ID

moon charon-systemd: 15[ENC] generating TRANSACTION request 2502723008 [ HASH CPRQ(X_USER X_PWD) ]
moon charon-systemd: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
moon charon-systemd: 07[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (108 bytes)
moon charon-systemd: 07[ENC] parsed TRANSACTION response 2502723008 [ HASH CPRP(X_USER X_PWD) ]
moon charon-systemd: 07[IKE] XAuth authentication of 'carol' successful
moon charon-systemd: 07[ENC] generating TRANSACTION request 618466142 [ HASH CPS(X_STATUS) ]
moon charon-systemd: 07[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
moon charon-systemd: 08[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)
moon charon-systemd: 08[ENC] parsed TRANSACTION response 618466142 [ HASH CPA(X_STATUS) ]
moon charon-systemd: 08[IKE] IKE_SA rw[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]

与以上moon网关的strongswan日志相对应的carol主机的strongswan日志如下。可见carol接收到的moon回复的第一个主模式报文中,通用携带了XAuth的厂商ID。在RSA认证完成之后,又接收到了moon网关(192.168.0.1)请求XAuth用户名和密码的配置模式报文(TRANSACTION request),carol接着回复了XAuth的用户名和密码。之后moon发送了认证结果(X_STATUS),并且carol确认了认证结果(X_STATUS),连接建立完成。

carol charon-systemd: 05[CFG] vici initiate CHILD_SA 'home'
carol charon-systemd: 10[IKE] initiating Main Mode IKE_SA home[1] to 192.168.0.1
carol charon-systemd: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
carol charon-systemd: 10[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (180 bytes)
carol charon-systemd: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (160 bytes)
carol charon-systemd: 06[ENC] parsed ID_PROT response 0 [ SA V V V V ]
carol charon-systemd: 06[IKE] received XAuth vendor ID

carol charon-systemd: 07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
carol charon-systemd: 07[ENC] parsed TRANSACTION request 2502723008 [ HASH CPRQ(X_USER X_PWD) ]
carol charon-systemd: 07[ENC] generating TRANSACTION response 2502723008 [ HASH CPRP(X_USER X_PWD) ]
carol charon-systemd: 07[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (108 bytes)
carol charon-systemd: 08[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)

carol charon-systemd: 08[ENC] parsed TRANSACTION request 618466142 [ HASH CPS(X_STATUS) ]
carol charon-systemd: 08[IKE] XAuth authentication of 'carol' (myself) successful
carol charon-systemd: 08[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
carol charon-systemd: 08[ENC] generating TRANSACTION response 618466142 [ HASH CPA(X_STATUS) ]
carol charon-systemd: 08[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)

以下为moon网关发出的第一个请求用户名和密码的配置报文:

在这里插入图片描述

以下为carol主机回复的XAuth用户名和密码:

在这里插入图片描述

以下为网关moon发出的XAuth认证结果报文:
在这里插入图片描述

以下为carol主机确认认证结果的报文。

在这里插入图片描述

XAuth认证完成之后,carol主机开启第二阶段快速模式(Quick Mode)交互。最后,在carol主机上可使用swanctl --list-conns查看连接情况,如下.出公开秘钥认证之后,本机还使用了xauth_id为carol进行了认证。

home: IKEv1, reauthentication every 14400s
  local:  192.168.0.100
  remote: 192.168.0.1
  local public key authentication:
    id: carol@strongswan.org
    certs: C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org
  local XAuth authentication:
    xauth_id: carol
  remote public key authentication:
    id: moon.strongswan.org
  home: TUNNEL, rekeying every 3600s
    local:  dynamic
    remote: 10.1.0.0/16

strongswan测试版本: 5.8.1

END

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页