以下根据strongswan代码中的testing/tests/swanctl/xauth-rsa/中的测试环境,来看XAuth的配置和认证流程。扩展认证XAUTH在RSA公开秘钥签名认证(pubkey)之后进行。拓扑结构如下:
拓扑图中使用到的设备包括:虚拟主机carol和dave,以及虚拟网关moon。
虚拟主机配置
carol的配置文件:/etc/swanctl/swanctl.conf,内容如下。其中home连接中的local-xauth段开启了xauth,ID指定为carol。
另外,在secrets段中的子段xauth-carol中指定了ID为carol的用户,及其秘钥:“4iChxLT3”。
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
local-xauth {
auth = xauth
xauth_id = carol
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-modp3072
}
}
version = 1
proposals = aes128-sha256-modp3072
}
}
secrets {
xauth-carol {
id = carol
secret = "4iChxLT3"
}
}
carol的配置文件:/etc/strongswan.conf,内容如下。这里需要加载本次测试要用到的xauth-generic插件。
charon-systemd {
load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
}
dave主机的配置与carol基本相同,区别在于dave的xauth认证的ID为:dave,密码为:“ryftzG4A”。
网关配置
moon网关的配置文件:/etc/swanctl/swanctl.conf,内容如下。在secrets段中配置了两个xauth用户,其中xauth-carol指定用户ID为:carol,秘钥为:“4iChxLT3”;xauth-dave指定了用户ID:dave,秘钥为:“ryftzG4A”。与以上carol和dave主机上的用户秘钥配置相同。
connections {
rw {
local_addrs = 192.168.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
remote-xauth {
auth = xauth
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-modp3072
}
}
version = 1
proposals = aes128-sha256-modp3072
}
}
secrets {
xauth-carol {
id = carol
secret = "4iChxLT3"
}
xauth-dave {
id = dave
secret = "ryftzG4A"
}
}
连接建立流程
操作流程如下,首先在两个虚拟主机carol和dave上,以及网关moon上启动strongswan进程。再者,在carol和dave上创建名称为home的子连接。
moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection rw
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null
接下来,查看以下moon网关上strongswan进程的日志。以carol主机(192.168.0.100)为例,首先在接收到的carol主机的第一个主模式(main)报文中,解析到了XAuth的厂商ID信息。之后在连接建立后,moon在配置模式(TRANSACTION请求)报文中请求XAuth的用户名(X_USER)和密码(X_PWD);carol主机在回复的(TRANSACTION response)报文中,以明文形式返回用户和密码,moon进行验证,并向carol返回验证结果(X_STATUS);最后carol确认验证结果。
moon charon-systemd: 13[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (180 bytes)
moon charon-systemd: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
moon charon-systemd: 13[IKE] received XAuth vendor ID
moon charon-systemd: 15[ENC] generating TRANSACTION request 2502723008 [ HASH CPRQ(X_USER X_PWD) ]
moon charon-systemd: 15[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
moon charon-systemd: 07[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (108 bytes)
moon charon-systemd: 07[ENC] parsed TRANSACTION response 2502723008 [ HASH CPRP(X_USER X_PWD) ]
moon charon-systemd: 07[IKE] XAuth authentication of 'carol' successful
moon charon-systemd: 07[ENC] generating TRANSACTION request 618466142 [ HASH CPS(X_STATUS) ]
moon charon-systemd: 07[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
moon charon-systemd: 08[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)
moon charon-systemd: 08[ENC] parsed TRANSACTION response 618466142 [ HASH CPA(X_STATUS) ]
moon charon-systemd: 08[IKE] IKE_SA rw[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]
与以上moon网关的strongswan日志相对应的carol主机的strongswan日志如下。可见carol接收到的moon回复的第一个主模式报文中,通用携带了XAuth的厂商ID。在RSA认证完成之后,又接收到了moon网关(192.168.0.1)请求XAuth用户名和密码的配置模式报文(TRANSACTION request),carol接着回复了XAuth的用户名和密码。之后moon发送了认证结果(X_STATUS),并且carol确认了认证结果(X_STATUS),连接建立完成。
carol charon-systemd: 05[CFG] vici initiate CHILD_SA 'home'
carol charon-systemd: 10[IKE] initiating Main Mode IKE_SA home[1] to 192.168.0.1
carol charon-systemd: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
carol charon-systemd: 10[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (180 bytes)
carol charon-systemd: 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (160 bytes)
carol charon-systemd: 06[ENC] parsed ID_PROT response 0 [ SA V V V V ]
carol charon-systemd: 06[IKE] received XAuth vendor ID
carol charon-systemd: 07[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
carol charon-systemd: 07[ENC] parsed TRANSACTION request 2502723008 [ HASH CPRQ(X_USER X_PWD) ]
carol charon-systemd: 07[ENC] generating TRANSACTION response 2502723008 [ HASH CPRP(X_USER X_PWD) ]
carol charon-systemd: 07[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (108 bytes)
carol charon-systemd: 08[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (92 bytes)
carol charon-systemd: 08[ENC] parsed TRANSACTION request 618466142 [ HASH CPS(X_STATUS) ]
carol charon-systemd: 08[IKE] XAuth authentication of 'carol' (myself) successful
carol charon-systemd: 08[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
carol charon-systemd: 08[ENC] generating TRANSACTION response 618466142 [ HASH CPA(X_STATUS) ]
carol charon-systemd: 08[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)
以下为moon网关发出的第一个请求用户名和密码的配置报文:
以下为carol主机回复的XAuth用户名和密码:
以下为网关moon发出的XAuth认证结果报文:
以下为carol主机确认认证结果的报文。
XAuth认证完成之后,carol主机开启第二阶段快速模式(Quick Mode)交互。最后,在carol主机上可使用swanctl --list-conns查看连接情况,如下.出公开秘钥认证之后,本机还使用了xauth_id为carol进行了认证。
home: IKEv1, reauthentication every 14400s
local: 192.168.0.100
remote: 192.168.0.1
local public key authentication:
id: carol@strongswan.org
certs: C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org
local XAuth authentication:
xauth_id: carol
remote public key authentication:
id: moon.strongswan.org
home: TUNNEL, rekeying every 3600s
local: dynamic
remote: 10.1.0.0/16
strongswan测试版本: 5.8.1
END
1万+
